Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1478985 Details for
Bug 1392681
SCAP Security Guide remediation fail - CCE-80258-7 - Disable KDump Kernel Crash Analyzer (kdump)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
failed anaconda hardening run
eval_remediate_report.html (text/html), 1.66 MB, created by
Marek Haicman
on 2018-08-27 15:22:39 UTC
(
hide
)
Description:
failed anaconda hardening run
Filename:
MIME Type:
Creator:
Marek Haicman
Created:
2018-08-27 15:22:39 UTC
Size:
1.66 MB
patch
obsolete
><!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="utf-8"></meta><meta http-equiv="X-UA-Compatible" content="IE=edge"></meta><meta name="viewport" content="width=device-width, initial-scale=1"></meta><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa | OpenSCAP Evaluation Report</title><style> >/*! > * Bootstrap v3.3.7 (http://getbootstrap.com) > * Copyright 2011-2016 Twitter, Inc. > * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) > */ > >/*! > * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) > * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf > *//*! > * Bootstrap v3.3.7 (http://getbootstrap.com) > * Copyright 2011-2016 Twitter, Inc. > * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) > *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}table.treetable span.indenter{display:inline-block;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px;margin:0;padding:0;}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px;}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=);}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC);}table.treetable tr.branch{background-color:#f9f9f9;}table.treetable tr.selected{background-color:#3875d7;color:#fff;}table.treetable tr span.indenter a{outline:none;}tr.rule-overview-needs-attention td a{color:#d9534f;}td.rule-result div,span.rule-result{text-align:center;font-weight:700;color:#fff;background:gray;}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e;}.js-only{display:none;}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f;}#footer{text-align:center;margin-top:50px;}pre{overflow:auto!important;word-wrap:normal!important;white-space:pre-wrap;}div.check-system-details,div.remediation,div.description{display:inline-block;width:0;min-width:100%;overflow-x:auto;}div.profile-description{white-space:pre-wrap;}div.modal-body{margin:50px;padding:0;}div.horizontal-scroll{overflow-x:auto;}div.top-spacer-10{margin-top:10px;}td.rule-result-fail div,span.rule-result-fail,td.rule-result-error div,span.rule-result-error{background:#d9534f;}td.rule-result-pass div,span.rule-result-pass,td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c;}.rule-result-filtered,.rule-result-filtered > *,.search-no-match,.search-no-match > *{display:none!important;}@media print{.container{width:100%;}.rule-result abbr[title]:after,.identifiers abbr[title]:after,.identifiers a[href]:after{content:"";}}</style><script> >/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ >!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; >}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{ >marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({ >padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n}); >(function($){var Node,Tree,methods;Node=(function(){function Node(row,tree,settings){var parentId;this.row=row;this.tree=tree;this.settings=settings;this.id=this.row.data(this.settings.nodeIdAttr);parentId=this.row.data(this.settings.parentIdAttr);if(parentId!=null&&parentId!=="")this.parentId=parentId;this.treeCell=$(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=$(this.settings.expanderTemplate);this.indenter=$(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter);}Node.prototype.addChild=function(child){return this.children.push(child);};Node.prototype.ancestors=function(){var ancestors,node;node=this;ancestors=[];while(node=node.parentNode())ancestors.push(node);return ancestors;};Node.prototype.collapse=function(){if(this.collapsed())return this;this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null)this.settings.onNodeCollapse.apply(this);return this;};Node.prototype.collapsed=function(){return this.row.hasClass("collapsed");};Node.prototype.expand=function(){if(this.expanded())return this;this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null)this.settings.onNodeExpand.apply(this);if($(this.row).is(":visible"))this._showChildren();this.expander.attr("title",this.settings.stringCollapse);return this;};Node.prototype.expanded=function(){return this.row.hasClass("expanded");};Node.prototype.hide=function(){this._hideChildren();this.row.hide();return this;};Node.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true)return true;else return false;};Node.prototype.updateBranchLeafClass=function(){this.row.removeClass('branch');this.row.removeClass('leaf');this.row.addClass(this.isBranchNode()?'branch':'leaf');};Node.prototype.level=function(){return this.ancestors().length;};Node.prototype.parentNode=function(){if(this.parentId!=null)return this.tree[this.parentId];else return null;};Node.prototype.removeChild=function(child){var i=$.inArray(child,this.children);return this.children.splice(i,1);};Node.prototype.render=function(){var handler,settings=this.settings,target;if(settings.expandable===true&&this.isBranchNode()){handler=function(e){$(this).parents("table").treetable("node",$(this).parents("tr").data(settings.nodeIdAttr)).toggle();return e.preventDefault();};this.indenter.html(this.expander);target=settings.clickableNodeNames===true?this.treeCell:this.expander;target.off("click.treetable").on("click.treetable",handler);target.off("keydown.treetable").on("keydown.treetable",function(e){if(e.keyCode==13)handler.apply(this,[e]);});}this.indenter[0].style.paddingLeft=""+(this.level()*settings.indent)+"px";return this;};Node.prototype.reveal=function(){if(this.parentId!=null)this.parentNode().reveal();return this.expand();};Node.prototype.setParent=function(node){if(this.parentId!=null)this.tree[this.parentId].removeChild(this);this.parentId=node.id;this.row.data(this.settings.parentIdAttr,node.id);return node.addChild(this);};Node.prototype.show=function(){if(!this.initialized)this._initialize();this.row.show();if(this.expanded())this._showChildren();return this;};Node.prototype.toggle=function(){if(this.expanded())this.collapse();else this.expand();return this;};Node.prototype._hideChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.hide());}return _results;};Node.prototype._initialize=function(){var settings=this.settings;this.render();if(settings.expandable===true&&settings.initialState==="collapsed")this.collapse();else this.expand();if(settings.onNodeInitialized!=null)settings.onNodeInitialized.apply(this);return this.initialized=true;};Node.prototype._showChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.show());}return _results;};return Node;})();Tree=(function(){function Tree(table,settings){this.table=table;this.settings=settings;this.tree={};this.nodes=[];this.roots=[];}Tree.prototype.collapseAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.collapse());}return _results;};Tree.prototype.expandAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.expand());}return _results;};Tree.prototype.findLastNode=function(node){if(node.children.length>0)return this.findLastNode(node.children[node.children.length-1]);else return node;};Tree.prototype.loadRows=function(rows){var node,row,i;if(rows!=null)for(i=0;i<rows.length;i++){row=$(rows[i]);if(row.data(this.settings.nodeIdAttr)!=null){node=new Node(row,this.tree,this.settings);this.nodes.push(node);this.tree[node.id]=node;if(node.parentId!=null&&this.tree[node.parentId])this.tree[node.parentId].addChild(node);else this.roots.push(node);}}for(i=0;i<this.nodes.length;i++)node=this.nodes[i].updateBranchLeafClass();return this;};Tree.prototype.move=function(node,destination){var nodeParent=node.parentNode();if(node!==destination&&destination.id!==node.parentId&&$.inArray(node,destination.ancestors())===-1){node.setParent(destination);this._moveRows(node,destination);if(node.parentNode().children.length===1)node.parentNode().render();}if(nodeParent)nodeParent.updateBranchLeafClass();if(node.parentNode())node.parentNode().updateBranchLeafClass();node.updateBranchLeafClass();return this;};Tree.prototype.removeNode=function(node){this.unloadBranch(node);node.row.remove();if(node.parentId!=null)node.parentNode().removeChild(node);delete this.tree[node.id];this.nodes.splice($.inArray(node,this.nodes),1);return this;};Tree.prototype.render=function(){var root,_i,_len,_ref;_ref=this.roots;for(_i=0,_len=_ref.length;_i<_len;_i++){root=_ref[_i];root.show();}return this;};Tree.prototype.sortBranch=function(node,sortFun){node.children.sort(sortFun);this._sortChildRows(node);return this;};Tree.prototype.unloadBranch=function(node){var children=node.children.slice(0),i;for(i=0;i<children.length;i++)this.removeNode(children[i]);node.children=[];node.updateBranchLeafClass();return this;};Tree.prototype._moveRows=function(node,destination){var children=node.children,i;node.row.insertAfter(destination.row);node.render();for(i=children.length-1;i>=0;i--)this._moveRows(children[i],node);};Tree.prototype._sortChildRows=function(parentNode){return this._moveRows(parentNode,parentNode);};return Tree;})();methods={init:function(options,force){var settings;settings=$.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},options);return this.each(function(){var el=$(this),tree;if(force||el.data("treetable")===undefined){tree=new Tree(this,settings);tree.loadRows(this.rows).render();el.addClass("treetable").data("treetable",tree);if(settings.onInitialized!=null)settings.onInitialized.apply(tree);}return el;});},destroy:function(){return this.each(function(){return $(this).removeData("treetable").removeClass("treetable");});},collapseAll:function(){this.data("treetable").collapseAll();return this;},collapseNode:function(id){var node=this.data("treetable").tree[id];if(node)node.collapse();else throw new Error("Unknown node '"+id+"'");return this;},expandAll:function(){this.data("treetable").expandAll();return this;},expandNode:function(id){var node=this.data("treetable").tree[id];if(node){if(!node.initialized)node._initialize();node.expand();}else throw new Error("Unknown node '"+id+"'");return this;},loadBranch:function(node,rows){var settings=this.data("treetable").settings,tree=this.data("treetable").tree;rows=$(rows);if(node==null)this.append(rows);else{var lastNode=this.data("treetable").findLastNode(node);rows.insertAfter(lastNode.row);}this.data("treetable").loadRows(rows);rows.filter("tr").each(function(){tree[$(this).data(settings.nodeIdAttr)].show();});if(node!=null)node.render().expand();return this;},move:function(nodeId,destinationId){var destination,node;node=this.data("treetable").tree[nodeId];destination=this.data("treetable").tree[destinationId];this.data("treetable").move(node,destination);return this;},node:function(id){return this.data("treetable").tree[id];},removeNode:function(id){var node=this.data("treetable").tree[id];if(node)this.data("treetable").removeNode(node);else throw new Error("Unknown node '"+id+"'");return this;},reveal:function(id){var node=this.data("treetable").tree[id];if(node)node.reveal();else throw new Error("Unknown node '"+id+"'");return this;},sortBranch:function(node,columnOrFunction){var settings=this.data("treetable").settings,prepValue,sortFun;columnOrFunction=columnOrFunction||settings.column;sortFun=columnOrFunction;if($.isNumeric(columnOrFunction))sortFun=function(a,b){var extractValue,valA,valB;extractValue=function(node){var val=node.row.find("td:eq("+columnOrFunction+")").text();return $.trim(val).toUpperCase();};valA=extractValue(a);valB=extractValue(b);if(valA<valB)return -1;if(valA>valB)return 1;return 0;};this.data("treetable").sortBranch(node,sortFun);return this;},unloadBranch:function(node){this.data("treetable").unloadBranch(node);return this;}};$.fn.treetable=function(method){if(methods[method])return methods[method].apply(this,Array.prototype.slice.call(arguments,1));else if(typeof method==='object'||!method)return methods.init.apply(this,arguments);else return $.error("Method "+method+" does not exist on jQuery.treetable");};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=Node;this.TreeTable.Tree=Tree;})(jQuery);if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(t){"use strict";var e=t.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||e[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4");}(jQuery),+function(t){"use strict";function e(e){return this.each(function(){var i=t(this),o=i.data("bs.alert");o||i.data("bs.alert",o=new n(this)),"string"==typeof e&&o[e].call(i);});}var i='[data-dismiss="alert"]',n=function(e){t(e).on("click",i,this.close);};n.VERSION="3.3.7",n.TRANSITION_DURATION=150,n.prototype.close=function(e){function i(){a.detach().trigger("closed.bs.alert").remove();}var o=t(this),s=o.attr("data-target");s||(s=o.attr("href"),s=s&&s.replace(/.*(?=#[^\s]*$)/,""));var a=t("#"===s?[]:s);e&&e.preventDefault(),a.length||(a=o.closest(".alert")),a.trigger(e=t.Event("close.bs.alert")),e.isDefaultPrevented()||(a.removeClass("in"),t.support.transition&&a.hasClass("fade")?a.one("bsTransitionEnd",i).emulateTransitionEnd(n.TRANSITION_DURATION):i());};var o=t.fn.alert;t.fn.alert=e,t.fn.alert.Constructor=n,t.fn.alert.noConflict=function(){return t.fn.alert=o,this;},t(document).on("click.bs.alert.data-api",i,n.prototype.close);}(jQuery),+function(t){"use strict";function e(e){var i=e.attr("data-target");i||(i=e.attr("href"),i=i&&/#[A-Za-z]/.test(i)&&i.replace(/.*(?=#[^\s]*$)/,""));var n=i&&t(i);return n&&n.length?n:e.parent();}function i(i){i&&3===i.which||(t(o).remove(),t(s).each(function(){var n=t(this),o=e(n),s={relatedTarget:this};o.hasClass("open")&&(i&&"click"==i.type&&/input|textarea/i.test(i.target.tagName)&&t.contains(o[0],i.target)||(o.trigger(i=t.Event("hide.bs.dropdown",s)),i.isDefaultPrevented()||(n.attr("aria-expanded","false"),o.removeClass("open").trigger(t.Event("hidden.bs.dropdown",s)))));}));}function n(e){return this.each(function(){var i=t(this),n=i.data("bs.dropdown");n||i.data("bs.dropdown",n=new a(this)),"string"==typeof e&&n[e].call(i);});}var o=".dropdown-backdrop",s='[data-toggle="dropdown"]',a=function(e){t(e).on("click.bs.dropdown",this.toggle);};a.VERSION="3.3.7",a.prototype.toggle=function(n){var o=t(this);if(!o.is(".disabled, :disabled")){var s=e(o),a=s.hasClass("open");if(i(),!a){"ontouchstart" in document.documentElement&&!s.closest(".navbar-nav").length&&t(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(t(this)).on("click",i);var r={relatedTarget:this};if(s.trigger(n=t.Event("show.bs.dropdown",r)),n.isDefaultPrevented())return;o.trigger("focus").attr("aria-expanded","true"),s.toggleClass("open").trigger(t.Event("shown.bs.dropdown",r));}return !1;}},a.prototype.keydown=function(i){if(/(38|40|27|32)/.test(i.which)&&!/input|textarea/i.test(i.target.tagName)){var n=t(this);if(i.preventDefault(),i.stopPropagation(),!n.is(".disabled, :disabled")){var o=e(n),a=o.hasClass("open");if(!a&&27!=i.which||a&&27==i.which)return 27==i.which&&o.find(s).trigger("focus"),n.trigger("click");var r=" li:not(.disabled):visible a",d=o.find(".dropdown-menu"+r);if(d.length){var l=d.index(i.target);38==i.which&&l>0&&l--,40==i.which&&l<d.length-1&&l++,~l||(l=0),d.eq(l).trigger("focus");}}}};var r=t.fn.dropdown;t.fn.dropdown=n,t.fn.dropdown.Constructor=a,t.fn.dropdown.noConflict=function(){return t.fn.dropdown=r,this;},t(document).on("click.bs.dropdown.data-api",i).on("click.bs.dropdown.data-api",".dropdown form",function(t){t.stopPropagation();}).on("click.bs.dropdown.data-api",s,a.prototype.toggle).on("keydown.bs.dropdown.data-api",s,a.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",a.prototype.keydown);}(jQuery),+function(t){"use strict";function e(e,n){return this.each(function(){var o=t(this),s=o.data("bs.modal"),a=t.extend({},i.DEFAULTS,o.data(),"object"==typeof e&&e);s||o.data("bs.modal",s=new i(this,a)),"string"==typeof e?s[e](n):a.show&&s.show(n);});}var i=function(e,i){this.options=i,this.$body=t(document.body),this.$element=t(e),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,t.proxy(function(){this.$element.trigger("loaded.bs.modal");},this));};i.VERSION="3.3.7",i.TRANSITION_DURATION=300,i.BACKDROP_TRANSITION_DURATION=150,i.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},i.prototype.toggle=function(t){return this.isShown?this.hide():this.show(t);},i.prototype.show=function(e){var n=this,o=t.Event("show.bs.modal",{relatedTarget:e});this.$element.trigger(o),this.isShown||o.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',t.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){n.$element.one("mouseup.dismiss.bs.modal",function(e){t(e.target).is(n.$element)&&(n.ignoreBackdropClick=!0);});}),this.backdrop(function(){var o=t.support.transition&&n.$element.hasClass("fade");n.$element.parent().length||n.$element.appendTo(n.$body),n.$element.show().scrollTop(0),n.adjustDialog(),o&&n.$element[0].offsetWidth,n.$element.addClass("in"),n.enforceFocus();var s=t.Event("shown.bs.modal",{relatedTarget:e});o?n.$dialog.one("bsTransitionEnd",function(){n.$element.trigger("focus").trigger(s);}).emulateTransitionEnd(i.TRANSITION_DURATION):n.$element.trigger("focus").trigger(s);}));},i.prototype.hide=function(e){e&&e.preventDefault(),e=t.Event("hide.bs.modal"),this.$element.trigger(e),this.isShown&&!e.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),t(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),t.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",t.proxy(this.hideModal,this)).emulateTransitionEnd(i.TRANSITION_DURATION):this.hideModal());},i.prototype.enforceFocus=function(){t(document).off("focusin.bs.modal").on("focusin.bs.modal",t.proxy(function(t){document===t.target||this.$element[0]===t.target||this.$element.has(t.target).length||this.$element.trigger("focus");},this));},i.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",t.proxy(function(t){27==t.which&&this.hide();},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal");},i.prototype.resize=function(){this.isShown?t(window).on("resize.bs.modal",t.proxy(this.handleUpdate,this)):t(window).off("resize.bs.modal");},i.prototype.hideModal=function(){var t=this;this.$element.hide(),this.backdrop(function(){t.$body.removeClass("modal-open"),t.resetAdjustments(),t.resetScrollbar(),t.$element.trigger("hidden.bs.modal");});},i.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null;},i.prototype.backdrop=function(e){var n=this,o=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var s=t.support.transition&&o;if(this.$backdrop=t(document.createElement("div")).addClass("modal-backdrop "+o).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",t.proxy(function(t){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (t.target===t.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()));},this)),s&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!e)return;s?this.$backdrop.one("bsTransitionEnd",e).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):e();}else if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var a=function(){n.removeBackdrop(),e&&e();};t.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",a).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):a();}else e&&e();},i.prototype.handleUpdate=function(){this.adjustDialog();},i.prototype.adjustDialog=function(){var t=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&t?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!t?this.scrollbarWidth:""});},i.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""});},i.prototype.checkScrollbar=function(){var t=window.innerWidth;if(!t){var e=document.documentElement.getBoundingClientRect();t=e.right-Math.abs(e.left);}this.bodyIsOverflowing=document.body.clientWidth<t,this.scrollbarWidth=this.measureScrollbar();},i.prototype.setScrollbar=function(){var t=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",t+this.scrollbarWidth);},i.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad);},i.prototype.measureScrollbar=function(){var t=document.createElement("div");t.className="modal-scrollbar-measure",this.$body.append(t);var e=t.offsetWidth-t.clientWidth;return this.$body[0].removeChild(t),e;};var n=t.fn.modal;t.fn.modal=e,t.fn.modal.Constructor=i,t.fn.modal.noConflict=function(){return t.fn.modal=n,this;},t(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(i){var n=t(this),o=n.attr("href"),s=t(n.attr("data-target")||o&&o.replace(/.*(?=#[^\s]+$)/,"")),a=s.data("bs.modal")?"toggle":t.extend({remote:!/#/.test(o)&&o},s.data(),n.data());n.is("a")&&i.preventDefault(),s.one("show.bs.modal",function(t){t.isDefaultPrevented()||s.one("hidden.bs.modal",function(){n.is(":visible")&&n.trigger("focus");});}),e.call(s,a,this);});}(jQuery),+function(t){"use strict";function e(e){var i,n=e.attr("data-target")||(i=e.attr("href"))&&i.replace(/.*(?=#[^\s]+$)/,"");return t(n);}function i(e){return this.each(function(){var i=t(this),o=i.data("bs.collapse"),s=t.extend({},n.DEFAULTS,i.data(),"object"==typeof e&&e);!o&&s.toggle&&/show|hide/.test(e)&&(s.toggle=!1),o||i.data("bs.collapse",o=new n(this,s)),"string"==typeof e&&o[e]();});}var n=function(e,i){this.$element=t(e),this.options=t.extend({},n.DEFAULTS,i),this.$trigger=t('[data-toggle="collapse"][href="#'+e.id+'"],[data-toggle="collapse"][data-target="#'+e.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle();};n.VERSION="3.3.7",n.TRANSITION_DURATION=350,n.DEFAULTS={toggle:!0},n.prototype.dimension=function(){var t=this.$element.hasClass("width");return t?"width":"height";},n.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var e,o=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(o&&o.length&&(e=o.data("bs.collapse"),e&&e.transitioning))){var s=t.Event("show.bs.collapse");if(this.$element.trigger(s),!s.isDefaultPrevented()){o&&o.length&&(i.call(o,"hide"),e||o.data("bs.collapse",null));var a=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[a](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var r=function(){this.$element.removeClass("collapsing").addClass("collapse in")[a](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse");};if(!t.support.transition)return r.call(this);var d=t.camelCase(["scroll",a].join("-"));this.$element.one("bsTransitionEnd",t.proxy(r,this)).emulateTransitionEnd(n.TRANSITION_DURATION)[a](this.$element[0][d]);}}}},n.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var e=t.Event("hide.bs.collapse");if(this.$element.trigger(e),!e.isDefaultPrevented()){var i=this.dimension();this.$element[i](this.$element[i]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var o=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse");};return t.support.transition?void this.$element[i](0).one("bsTransitionEnd",t.proxy(o,this)).emulateTransitionEnd(n.TRANSITION_DURATION):o.call(this);}}},n.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]();},n.prototype.getParent=function(){return t(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(t.proxy(function(i,n){var o=t(n);this.addAriaAndCollapsedClass(e(o),o);},this)).end();},n.prototype.addAriaAndCollapsedClass=function(t,e){var i=t.hasClass("in");t.attr("aria-expanded",i),e.toggleClass("collapsed",!i).attr("aria-expanded",i);};var o=t.fn.collapse;t.fn.collapse=i,t.fn.collapse.Constructor=n,t.fn.collapse.noConflict=function(){return t.fn.collapse=o,this;},t(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(n){var o=t(this);o.attr("data-target")||n.preventDefault();var s=e(o),a=s.data("bs.collapse"),r=a?"toggle":o.data();i.call(s,r);});}(jQuery),+function(t){"use strict";function e(){var t=document.createElement("bootstrap"),e={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var i in e)if(void 0!==t.style[i])return{end:e[i]};return !1;}t.fn.emulateTransitionEnd=function(e){var i=!1,n=this;t(this).one("bsTransitionEnd",function(){i=!0;});var o=function(){i||t(n).trigger(t.support.transition.end);};return setTimeout(o,e),this;},t(function(){t.support.transition=e(),t.support.transition&&(t.event.special.bsTransitionEnd={bindType:t.support.transition.end,delegateType:t.support.transition.end,handle:function(e){return t(e.target).is(this)?e.handleObj.handler.apply(this,arguments):void 0;}});});}(jQuery);function openRuleDetailsDialog(rule_result_id){$("#detail-modal").remove();var closebutton=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="true" title="Close">❌</button>');var modal=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="true"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(modal);var clone=$("#rule-detail-"+rule_result_id).clone();clone.attr("id","");clone.children(".panel-heading").append(closebutton);closebutton.css({"float":"right"});closebutton.css({"margin-top":"-=23px"});$("#detail-modal-body").append(clone);$("#detail-modal").modal();return false;}function toggleRuleDisplay(checkbox){var result=checkbox.value;if(checkbox.checked){$(".rule-overview-leaf-"+result).removeClass("rule-result-filtered");$(".rule-detail-"+result).removeClass("rule-result-filtered");}else{$(".rule-overview-leaf-"+result).addClass("rule-result-filtered");$(".rule-detail-"+result).addClass("rule-result-filtered");}stripeTreeTable();}function toggleResultDetails(button){var result_details=$("#result-details");if(result_details.is(":visible")){result_details.hide();$(button).html("Show all result details");}else{result_details.show();$(button).html("Hide all result details");}return false;}function ruleSearchMatches(detail_leaf,keywords){if(keywords.length==0)return true;var match=true;var checked_keywords=detail_leaf.children(".keywords").text().toLowerCase();var index;for(index=0;index<keywords.length;++index)if(checked_keywords.indexOf(keywords[index].toLowerCase())<0){match=false;break;}return match;}function ruleSearch(){var search_input=$("#search-input").val();var keywords=search_input.split(/[\s,\.;]+/);var matches=0;$(".rule-detail").each(function(){var rrid=$(this).attr("id").substring(12);var overview_leaf=$("#rule-overview-leaf-"+rrid);var detail_leaf=$(this);if(ruleSearchMatches(detail_leaf,keywords)){overview_leaf.removeClass("search-no-match");detail_leaf.removeClass("search-no-match");++matches;}else{overview_leaf.addClass("search-no-match");detail_leaf.addClass("search-no-match");}});if(!search_input)$("#search-matches").html("");else if(matches>0)$("#search-matches").html(matches.toString()+" rules match.");else $("#search-matches").html("No rules match your search criteria!");}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable();});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});is_original=true;}}function newGroupLine(key,group_name){var maxKeyLength=24;if(key.length>maxKeyLength)key=key.substring(0,maxKeyLength-1)+"â¦";return "<tr class=\"rule-overview-inner-node\" data-tt-id=\""+group_name+"\">"+"<td colspan=\"3\"><small>"+key+"</small> = <strong>"+group_name+"</strong></td></tr>";}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(rule,key){switch(key){case KeysEnum.SEVERITY:var severity=rule.children(".rule-severity").text();return [severity];case KeysEnum.RESULT:var result=rule.children(".rule-result").text();return [result];default:try{var references=JSON.parse(rule.attr("data-references"));}catch(err){return ["unknown"];}if(!references.hasOwnProperty(key))return ["unknown"];return references[key];}}function sortGroups(groups,key){switch(key){case KeysEnum.SEVERITY:return ["high","medium","low"];case KeysEnum.RESULT:return groups.sort();default:return groups.sort(function(a,b){var a_parts=a.split(/[.()-]/);var b_parts=b.split(/[.()-]/);var result=0;var min_length=Math.min(a_parts.length,b_parts.length);var number=/^[1-9][0-9]*$/;for(i=0;i<min_length&&result==0;i++)if(a_parts[i].match(number)==null||a_parts[i].match(number)==null)result=a_parts[i].localeCompare(b_parts[i]);else result=parseInt(a_parts[i])-parseInt(b_parts[i]);if(result==0)result=a_parts.length-b_parts.length;return result;});}}function groupRulesBy(key){resetTreetable();if(key==KeysEnum.DEFAULT)return;var lines={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var id=$(this).attr("data-tt-id");var target_groups=getTargetGroupsList($(this),key);for(i=0;i<target_groups.length;i++){var target_group=target_groups[i];if(!lines.hasOwnProperty(target_group))lines[target_group]=[newGroupLine(key,target_group)];var clone=$(this).clone();clone.attr("data-tt-id",id+"copy"+i);clone.attr("data-tt-parent-id",target_group);var new_line=clone.wrap("<div>").parent().html();lines[target_group].push(new_line);}});$(".treetable").remove();var groups=sortGroups(Object.keys(lines),key);var html_text="";for(i=0;i<groups.length;i++)html_text+=lines[groups[i]].join("\n");new_table="<table class=\"treetable table table-bordered\"><thead><tr><th>Group</th> <th style=\"width: 120px; text-align: center\">Severity</th><th style=\"width: 120px; text-align: center\">Result</th></tr></thead><tbody>"+html_text+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable();}function stripeTreeTable(){var rows=$(".rule-overview-leaf:not(.rule-result-filtered)");var even=false;$(rows).each(function(){$(this).css("background-color",even?"#F9F9F9":"inherit");even=!even;});}</script></head><body><nav class="navbar navbar-default" role="navigation"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</h2><blockquote>with profile <mark>DISA STIG for Red Hat Enterprise Linux 7</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configuration checks that align to the > DISA STIG for Red Hat Enterprise Linux V1R4. > > In addition to being applicable to RHEL7, DISA recognizes this > configuration baseline as applicable to the operating system tier of > Red Hat technologies that are based off RHEL7, such as: > - Red Hat Enterprise Linux Server > - Red Hat Enterprise Linux Workstation and Desktop > - Red Hat Virtualization Hypervisor (RHV-H) > - Red Hat Enterprise Linux for HPC > - Red Hat Storage</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br> > > <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a> ></div><div class="description">This guide presents a catalog of security-relevant >configuration settings for Red Hat Enterprise Linux 7. It is a rendering of >content structured in the eXtensible Configuration Checklist Description Format (XCCDF) >in order to support security automation. The SCAP content is >is available in the <code>scap-security-guide</code> package which is developed at > > <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>. ><br><br> >Providing system administrators with such guidance informs them how to securely >configure systems under their control in a variety of network roles. Policy >makers and baseline creators can use this catalog of settings, with its >associated references to higher-level security control catalogs, in order to >assist them in security baseline creation. This guide is a <em>catalog, not a >checklist</em>, and satisfaction of every item is not likely to be possible or >sensible in many operational scenarios. However, the XCCDF format enables >granular selection and adjustment of settings, and their association with OVAL >and OCIL content provides an automated checking capability. Transformations of >this document, and its associated automated checking content, are capable of >providing baselines that meet a diverse set of policy objectives. Some example >XCCDF <em>Profiles</em>, which are selections of items that form checklists and >can be used as baselines, are available with this guide. They can be >processed, in an automated fashion, with tools that support the Security >Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, >which provides required settings for US Department of Defense systems, is >one example of a baseline created from this guidance. ></div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in >this guide without first testing them in a non-operational environment. The >creators of this guidance assume no responsibility whatsoever for its use by >other parties, and makes no guarantees, expressed or implied, about its >quality, reliability, or any other characteristic. ></div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>localhost</td></tr><tr><th>Benchmark URL</th><td>/root/openscap_data/cdrom.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel7-disa</td></tr><tr><th>Started at</th><td>2018-08-27T15:28:14</td></tr><tr><th>Finished at</th><td>2018-08-27T15:28:14</td></tr><tr><th>Performed by</th><td></td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span> >  127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span> >  192.168.122.98</li><li class="list-group-item"><span class="label label-info">IPv6</span> >  0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span> >  fe80:0:0:0:5054:ff:fe14:6849</li><li class="list-group-item"><span class="label label-default">MAC</span> >  00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span> >  52:54:00:14:68:49</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 9 rules!</strong> > Furthermore, the results of 10 rules were inconclusive. > > Please review rule results and consider applying remediation. > </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were 243 rules taken into account."><div class="progress-bar progress-bar-success" style="width: 80.6584362139918%">196 passed > </div><div class="progress-bar progress-bar-danger" style="width: 3.703703703703703%">9 failed > </div><div class="progress-bar progress-bar-warning" style="width: 15.6378600823045%">38 other > </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 9 total failed rules."><div class="progress-bar progress-bar-success" style="width: 11.1111111111111%">1 other > </div><div class="progress-bar progress-bar-info" style="width: 0%">0 low > </div><div class="progress-bar progress-bar-warning" style="width: 55.5555555555556%">5 medium > </div><div class="progress-bar progress-bar-danger" style="width: 33.3333333333333%">3 high > </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">80.950165</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 80.950165%">80.95%</div><div class="progress-bar progress-bar-danger" style="width: 19.049835%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass"></input>pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed"></input>fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational"></input>informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail"></input>fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error"></input>error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown"></input>unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked"></input>notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable"></input>notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"></input><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p> > Group rules by: > <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx</option><option value="DISA CCI">DISA CCI</option><option value="DISA SRG">DISA SRG</option><option value="DISA STIG">DISA STIG</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="CIS Recommendation">CIS Recommendation</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-7" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</strong> <span class="badge">9x fail</span> <span class="badge">10x error</span> <span class="badge">28x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>Services</strong> <span class="badge">4x error</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files" id="rule-overview-leaf-idm46336716330976" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86903r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040550"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716330976" onclick="return openRuleDetailsDialog('idm46336716330976')">Remove Host-Based Authentication Files</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files" id="rule-overview-leaf-idm46336716324560" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86901r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040540"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716324560" onclick="return openRuleDetailsDialog('idm46336716324560')">Remove User Host-Based Authentication Files</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm46336716320592" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86591r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-020000"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716320592" onclick="return openRuleDetailsDialog('idm46336716320592')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm46336716309104" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86701r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-021710"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"CIS Recommendation":["2.1.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716309104" onclick="return openRuleDetailsDialog('idm46336716309104')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-overview-leaf-idm46336716300096" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86593r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-020010"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"CIS Recommendation":["2.2.16"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716300096" onclick="return openRuleDetailsDialog('idm46336716300096')">Uninstall ypserv Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">TFTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_tftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-overview-leaf-idm46336716291120" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86925r1_rule"],"DISA CCI":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040700"],"NIST SP 800-53":["AC-17(8)","CM-6(c)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716291120" onclick="return openRuleDetailsDialog('idm46336716291120')">Uninstall tftp-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-overview-leaf-idm46336716287152" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86929r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040720"],"NIST SP 800-53":["AC-6","AC-17(8)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716287152" onclick="return openRuleDetailsDialog('idm46336716287152')">Ensure tftp Daemon Uses Secure Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">FTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp"><td colspan="3" style="padding-left: 57px">Disable vsftpd if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_vsftpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-overview-leaf-idm46336716249152" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86923r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040690"],"NIST SP 800-53":["CM-6(b)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716249152" onclick="return openRuleDetailsDialog('idm46336716249152')">Uninstall vsftpd Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SNMP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Configure SNMP Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp_configure_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-overview-leaf-idm46336716242704" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86937r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040800"],"NIST SP 800-53":["IA-5.1(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716242704" onclick="return openRuleDetailsDialog('idm46336716242704')">Ensure Default SNMP Password Is Not Used</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Cron and At Daemons<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_cron_and_at");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at"><td colspan="3" style="padding-left: 57px">Restrict at and cron to Authorized Users if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrict_at_cron_users");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" id="rule-overview-leaf-idm46336716233696" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86679r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021120"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716233696" onclick="return openRuleDetailsDialog('idm46336716233696')">Verify Group Who Owns /etc/cron.allow file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_cron_allow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_cron_allow" id="rule-overview-leaf-idm46336716229728" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86677r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021110"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716229728" onclick="return openRuleDetailsDialog('idm46336716229728')">Verify User Who Owns /etc/cron.allow file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">X Window System<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_xwindows"><td colspan="3" style="padding-left: 57px">Disable X Windows<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-overview-leaf-idm46336716215728" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_xwindows" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86931r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040730"],"NIST SP 800-53":["AC-17(8).1(ii)"],"CIS Recommendation":["2.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716215728" onclick="return openRuleDetailsDialog('idm46336716215728')">Remove the X Windows Package Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sssd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>System Security Services Daemon</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd-ldap" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sssd-ldap" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd"><td colspan="3" style="padding-left: 57px"><strong>System Security Services Daemon (SSSD) - LDAP</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" id="rule-overview-leaf-idm46336716008032" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86853r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040190"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716008032" onclick="return openRuleDetailsDialog('idm46336716008032')">Configure SSSD LDAP Backend Client CA Certificate Location</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" id="rule-overview-leaf-idm46336716002768" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86851r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040180"],"NIST SP 800-53":["AC-17(2)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716002768" onclick="return openRuleDetailsDialog('idm46336716002768')">Configure SSSD LDAP Backend to Use TLS For All Transactions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" id="rule-overview-leaf-idm46336715997088" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86855r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040200"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715997088" onclick="return openRuleDetailsDialog('idm46336715997088')">Configure SSSD LDAP Backend Client CA Certificate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" id="rule-overview-leaf-idm46336715991328" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87051r3_rule"],"DISA CCI":["CCI-001948","CCI-001953","CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160","SRG-OS-000375-GPOS-00161","SRG-OS-000375-GPOS-00162"],"DISA STIG":["RHEL-07-041002"],"NIST SP 800-53":["IA-2(11)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715991328" onclick="return openRuleDetailsDialog('idm46336715991328')">Configure PAM in SSSD Services</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" id="rule-overview-leaf-idm46336715966816" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["SRG-OS-000356-GPOS-00144"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86893r2_rule"],"DISA CCI":["CCI-001891","CCI-002046"],"DISA SRG":["SRG-OS-000355-GPOS-00143"],"DISA STIG":["RHEL-07-040500"],"NIST SP 800-53":["AU-8(1)(a)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715966816" onclick="return openRuleDetailsDialog('idm46336715966816')">Configure Time Service Maxpoll Interval</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_base" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Base Services</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_kdump_disabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715902496" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86681r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021300"],"NIST SP 800-53":["AC-17(8)","CM-7","CM-6(b)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715902496" onclick="return openRuleDetailsDialog('idm46336715902496')">Disable KDump Kernel Crash Analyzer (kdump)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Mail Server Software</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px"><strong>Configure Operating System to Protect Mail Server</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_cfg" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_cfg" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_harden_os"><td colspan="3" style="padding-left: 76px"><strong>Configure Postfix if Necessary</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_relay" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_relay" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_cfg"><td colspan="3" style="padding-left: 95px"><strong>Control Mail Relaying</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" id="rule-overview-leaf-idm46336715876112" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_relay" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86921r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040680"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336715876112" onclick="return openRuleDetailsDialog('idm46336715876112')">Prevent Unrestricted Mail Relaying</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">NFS and RPC<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_and_rpc");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_clients" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Configure NFS Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configuring_clients");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td colspan="3" style="padding-left: 76px">Mount Remote Filesystems with Restrictive Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting_remote_filesystems");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-overview-leaf-idm46336715816192" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86935r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040750"],"NIST SP 800-53":["AC-14(1)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715816192" onclick="return openRuleDetailsDialog('idm46336715816192')">Mount Remote Filesystems with Kerberos Security</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" id="rule-overview-leaf-idm46336715812208" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87813r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021021"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715812208" onclick="return openRuleDetailsDialog('idm46336715812208')">Mount Remote Filesystems with noexec</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-overview-leaf-idm46336715808272" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86669r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021020"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715808272" onclick="return openRuleDetailsDialog('idm46336715808272')">Mount Remote Filesystems with nosuid</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>SSH Server</strong> <span class="badge">3x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px">Configure OpenSSH Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-overview-leaf-idm46336715766960" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86887r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040450"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715766960" onclick="return openRuleDetailsDialog('idm46336715766960')">Enable Use of Strict Mode Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-overview-leaf-idm46336715762144" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86873r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040380"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715762144" onclick="return openRuleDetailsDialog('idm46336715762144')">Disable SSH Support for User Known Hosts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-overview-leaf-idm46336715744304" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86563r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010300"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-3","AC-6","CM-6(b)"],"CIS Recommendation":["5.2.9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715744304" onclick="return openRuleDetailsDialog('idm46336715744304')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-overview-leaf-idm46336715734672" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86865r3_rule"],"DISA CCI":["CCI-001133","CCI-002361"],"DISA SRG":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"DISA STIG":["RHEL-07-040340"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","SA-8","AC-12"],"CIS Recommendation":["5.2.12"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715734672" onclick="return openRuleDetailsDialog('idm46336715734672')">Set SSH Client Alive Count</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" id="rule-overview-leaf-idm46336715724848" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86863r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040330"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715724848" onclick="return openRuleDetailsDialog('idm46336715724848')">Disable SSH Support for Rhosts RSA Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-overview-leaf-idm46336715755776" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86849r3_rule"],"DISA CCI":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-040170"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["5.2.16"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715755776" onclick="return openRuleDetailsDialog('idm46336715755776')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" id="rule-overview-leaf-idm46336715707360" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86877r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040400"],"NIST SP 800-171":["3.1.13","3.13.11","3.13.8"],"NIST SP 800-53":["AC-17(2)","IA-7","SC-13"],"CIS Recommendation":["5.2.12"],"HIPAA":["164.308(b)(1)","164.308(b)(2)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)","164.314(b)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715707360" onclick="return openRuleDetailsDialog('idm46336715707360')">Use Only FIPS 140-2 Validated MACs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-overview-leaf-idm46336715702240" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86581r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010460"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(b)"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715702240" onclick="return openRuleDetailsDialog('idm46336715702240')">Do Not Allow SSH Environment Options</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-overview-leaf-idm46336715718368" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86885r2_rule"],"DISA CCI":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-040440"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(c)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715718368" onclick="return openRuleDetailsDialog('idm46336715718368')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-overview-leaf-idm46336715692480" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86875r3_rule"],"DISA CCI":["CCI-000197","CCI-000366"],"DISA SRG":["SRG-OS-000074-GPOS-00042","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040390"],"NIST SP 800-171":["3.1.13","3.5.4"],"NIST SP 800-53":["AC-17(8).1(ii)","IA-5(1)(c)"],"CIS Recommendation":["5.2.2"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715692480" onclick="return openRuleDetailsDialog('idm46336715692480')">Allow Only SSH Protocol 2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-overview-leaf-idm46336715684656" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86867r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040350"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","CM-6(a)"],"CIS Recommendation":["5.2.6"],"FBI CJIS":["5.5.6"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715684656" onclick="return openRuleDetailsDialog('idm46336715684656')">Disable SSH Support for .rhosts Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-overview-leaf-idm46336715679904" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86861r3_rule"],"DISA CCI":["CCI-001133","CCI-002361"],"DISA SRG":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"DISA STIG":["RHEL-07-040320"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","SA-8(i)","AC-12"],"CIS Recommendation":["5.2.12"],"FBI CJIS":["5.5.6"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715679904" onclick="return openRuleDetailsDialog('idm46336715679904')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" id="rule-overview-leaf-idm46336715659504" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86927r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040710"],"NIST SP 800-171":["3.1.13"],"NIST SP 800-53":["CM-2(1)(b)"],"CIS Recommendation":["5.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715659504" onclick="return openRuleDetailsDialog('idm46336715659504')">Enable Encrypted X11 Forwarding</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" id="rule-overview-leaf-idm46336715672736" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86845r2_rule"],"DISA CCI":["CCI-000068","CCI-000366","CCI-000803"],"DISA SRG":["SRG-OS-000033-GPOS-00014","SRG-OS-000120-GPOS-00061","SRG-OS-000125-GPOS-00065","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"DISA STIG":["RHEL-07-040110"],"NIST SP 800-171":["3.1.13","3.13.11","3.13.8"],"NIST SP 800-53":["AC-3","AC-17(2)","AU-10(5)","CM-6(b)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(b)(1)","164.308(b)(2)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)","164.314(b)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715672736" onclick="return openRuleDetailsDialog('idm46336715672736')">Use Only FIPS 140-2 Validated Ciphers</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-overview-leaf-idm46336715644928" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86583r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010470"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","CM-6(b)"],"CIS Recommendation":["5.2.7"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715644928" onclick="return openRuleDetailsDialog('idm46336715644928')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" id="rule-overview-leaf-idm46336715651120" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86889r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040460"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715651120" onclick="return openRuleDetailsDialog('idm46336715651120')">Enable Use of Privilege Separation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-overview-leaf-idm46336715623520" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86869r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040360"],"NIST SP 800-53":["AC-9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715623520" onclick="return openRuleDetailsDialog('idm46336715623520')">Print Last Log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-overview-leaf-idm46336715633328" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86883r2_rule"],"DISA CCI":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-040430"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(c)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715633328" onclick="return openRuleDetailsDialog('idm46336715633328')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_compression" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_compression" id="rule-overview-leaf-idm46336715610304" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86891r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040470"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(b)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715610304" onclick="return openRuleDetailsDialog('idm46336715610304')">Disable Compression Or Set Compression to delayed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-overview-leaf-idm46336715607360" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86871r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040370"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-3","AC-6(2)","IA-2(1)","IA-2(5)"],"CIS Recommendation":["5.2.8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715607360" onclick="return openRuleDetailsDialog('idm46336715607360')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openssh-server_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-overview-leaf-idm46336715591888" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS000423-GPOS-00190"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86857r2_rule"],"DISA CCI":["CCI-002418","CCI-002420","CCI-002421","CCI-002422"],"DISA SRG":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189"],"DISA STIG":["RHEL-07-040300"],"NIST SP 800-53":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715591888" onclick="return openRuleDetailsDialog('idm46336715591888')">Install the OpenSSH Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_sshd_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715581728" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS000423-GPOS-00190"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86859r2_rule"],"DISA CCI":["CCI-002418","CCI-002420","CCI-002421","CCI-002422"],"DISA SRG":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189"],"DISA STIG":["RHEL-07-040310"],"NIST SP 800-171":["3.1.13","3.5.4","3.13.8"],"NIST SP 800-53":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715581728" onclick="return openRuleDetailsDialog('idm46336715581728')">Enable the OpenSSH Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715575168" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86879r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040410"],"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715575168" onclick="return openRuleDetailsDialog('idm46336715575168')">Verify Permissions on SSH Server Public *.pub Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715567280" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86881r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040420"],"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715567280" onclick="return openRuleDetailsDialog('idm46336715567280')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">9x fail</span> <span class="badge">6x error</span> <span class="badge">26x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Configure Syslog<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_logging");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Rsyslog Logs Sent To Remote Host<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_sending_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-overview-leaf-idm46336715556560" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86833r1_rule"],"DISA CCI":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-031000"],"NIST SP 800-53":["AU-3(2)","AU-4(1)","AU-9"],"CIS Recommendation":["4.2.1.4"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"ISO 27001-2013":["A.12.3.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715556560" onclick="return openRuleDetailsDialog('idm46336715556560')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure Proper Configuration of Log Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-overview-leaf-idm46336715553072" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86675r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021100"],"NIST SP 800-53":["AU-2(d)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715553072" onclick="return openRuleDetailsDialog('idm46336715553072')">Ensure cron Is Logging To Rsyslog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-overview-leaf-idm46336715526848" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86835r1_rule"],"DISA CCI":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-031010"],"NIST SP 800-53":["AU-9(2)","AC-4","CM-6(c)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715526848" onclick="return openRuleDetailsDialog('idm46336715526848')">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Network Configuration and Firewalls</strong> <span class="badge">2x fail</span> <span class="badge">1x error</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>firewalld</strong> <span class="badge">1x fail</span> <span class="badge">1x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Strengthen the Default Ruleset</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715510240" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86939r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040810"],"NIST SP 800-171":["3.1.3","3.4.7","3.13.6"],"NIST SP 800-53":["CM-6(b)","CM-7"],"FBI CJIS":["5.10.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715510240" onclick="return openRuleDetailsDialog('idm46336715510240')">Set Default firewalld Zone for Incoming Packets</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-overview-leaf-idm46336715506272" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86843r1_rule"],"DISA CCI":["CCI-000382","CCI-002314"],"DISA SRG":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115"],"DISA STIG":["RHEL-07-040100"],"NIST SP 800-53":["CM-7","CM-7.1(iii)","CM-7(b)","AC-17(1)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715506272" onclick="return openRuleDetailsDialog('idm46336715506272')">Configure the Firewalld Ports</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" id="rule-overview-leaf-idm46336715482528" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86895r2_rule"],"DISA CCI":["CCI-002385"],"DISA SRG":["SRG-OS-000420-GPOS-00186"],"DISA STIG":["RHEL-07-040510"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715482528" onclick="return openRuleDetailsDialog('idm46336715482528')">Configure firewalld To Rate Limit Connections</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Inspect and Activate Default firewalld Rules</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715500448" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86897r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040520"],"NIST SP 800-171":["3.1.3","3.4.7"],"NIST SP 800-53":["CM-6(b)"],"CIS Recommendation":["4.7"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715500448" onclick="return openRuleDetailsDialog('idm46336715500448')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipsec" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipsec" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>IPSec Support</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-overview-leaf-idm46336715478304" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipsec" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86941r1_rule"],"DISA CCI":["CCI-000336"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040820"],"NIST SP 800-53":["AC-4"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715478304" onclick="return openRuleDetailsDialog('idm46336715478304')">Verify Any Configured IPSec Tunnel Connections</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">IPv6<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Configure IPv6 Settings if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6"><td colspan="3" style="padding-left: 95px">Disable Automatic Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-overview-leaf-idm46336715461456" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86943r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040830"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336715461456" onclick="return openRuleDetailsDialog('idm46336715461456')">Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Kernel Parameters Which Affect Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-kernel");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Related Kernel Runtime Parameters for Hosts and Routers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_and_router_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idm46336715419728" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86909r1_rule"],"DISA CCI":["CCI-000366","CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040620"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.2.1"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715419728" onclick="return openRuleDetailsDialog('idm46336715419728')">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-overview-leaf-idm46336715414784" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86911r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040630"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5"],"CIS Recommendation":["3.2.5"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715414784" onclick="return openRuleDetailsDialog('idm46336715414784')">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-overview-leaf-idm46336715394880" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86913r2_rule"],"DISA CCI":["CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040640"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.2.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715394880" onclick="return openRuleDetailsDialog('idm46336715394880')">Configure Kernel Parameter for Accepting ICMP Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idm46336715405424" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86907r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040610"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5"],"CIS Recommendation":["3.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715405424" onclick="return openRuleDetailsDialog('idm46336715405424')">Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-overview-leaf-idm46336715381136" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87827r3_rule"],"DISA CCI":["CCI-000366","CCI-001503","CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040641"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-6(d)","CM-7","SC-5"],"CIS Recommendation":["3.2.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715381136" onclick="return openRuleDetailsDialog('idm46336715381136')">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Parameters for Hosts Only<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idm46336715354048" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86933r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040740"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7","SC-5","SC-32"],"CIS Recommendation":["3.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715354048" onclick="return openRuleDetailsDialog('idm46336715354048')">Disable Kernel Parameter for IP Forwarding</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-overview-leaf-idm46336715335328" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86917r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040660"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5(1)"],"CIS Recommendation":["3.1.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715335328" onclick="return openRuleDetailsDialog('idm46336715335328')">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-overview-leaf-idm46336715342624" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86915r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040650"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.1.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715342624" onclick="return openRuleDetailsDialog('idm46336715342624')">Disable Kernel Parameter for Sending ICMP Redirects by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-uncommon" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Uncommon Network Protocols<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-uncommon");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-overview-leaf-idm46336715329360" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92517r1_rule"],"DISA CCI":["CCI-001958"],"DISA STIG":["RHEL-07-020101"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["CM-7"],"CIS Recommendation":["3.5.1"],"FBI CJIS":["5.10.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715329360" onclick="return openRuleDetailsDialog('idm46336715329360')">Disable DCCP Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Wireless Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-wireless");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px">Disable Wireless Through Software Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_wireless_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-overview-leaf-idm46336715300032" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87829r1_rule"],"DISA CCI":["CCI-000085","CCI-002418"],"DISA SRG":["SRG-OS-000424-GPOS-00188"],"DISA STIG":["RHEL-07-041010"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"],"CIS Recommendation":["4.3.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715300032" onclick="return openRuleDetailsDialog('idm46336715300032')">Deactivate Wireless Network Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-overview-leaf-idm46336715296064" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86919r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040670"],"NIST SP 800-53":["CM-7","CM-7(2).1(i)","MA-3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715296064" onclick="return openRuleDetailsDialog('idm46336715296064')">Ensure System is Not Acting as a Network Sniffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_configure_name_resolution" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715287104" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86905r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040600"],"NIST SP 800-53":["SC-22"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715287104" onclick="return openRuleDetailsDialog('idm46336715287104')">Configure Multiple DNS Servers in /etc/resolv.conf</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Set Boot Loader Password</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_password" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715283136" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86585r4_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010480"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["IA-2(1)","IA-5(e)","AC-3"],"CIS Recommendation":["1.4.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715283136" onclick="return openRuleDetailsDialog('idm46336715283136')">Set Boot Loader Password in grub2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-overview-leaf-idm46336715274224" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86587r3_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010490"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["AC-3"],"CIS Recommendation":["1.4.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715274224" onclick="return openRuleDetailsDialog('idm46336715274224')">Set the UEFI Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" id="rule-overview-leaf-idm46336715270288" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86699r1_rule"],"DISA CCI":["CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-021700"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715270288" onclick="return openRuleDetailsDialog('idm46336715270288')">Boat Loader Is Not Installed On Removeable Media</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>SELinux</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm46336714674640" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86615r3_rule"],"DISA CCI":["CCI-002696"],"DISA SRG":["SRG-OS-000445-GPOS-00199"],"DISA STIG":["RHEL-07-020220"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)","AC-3(4)","AC-4","AC-6","AU-9","SI-6(a)"],"CIS Recommendation":["1.6.1.3"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714674640" onclick="return openRuleDetailsDialog('idm46336714674640')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714664784" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86663r1_rule"],"DISA CCI":["CCI-000022","CCI-000032","CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020900"],"NIST SP 800-171":["3.1.2","3.1.5","3.7.2"],"NIST SP 800-53":["AC-6","AU-9","CM-3(f)","CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714664784" onclick="return openRuleDetailsDialog('idm46336714664784')">Ensure No Device Files are Unlabeled by SELinux</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_user_login_roles" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_user_login_roles" id="rule-overview-leaf-idm46336714660816" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86595r1_rule"],"DISA CCI":["CCI-002235"],"DISA SRG":["SRG-OS-000324-GPOS-00125"],"DISA STIG":["RHEL-07-020020"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714660816" onclick="return openRuleDetailsDialog('idm46336714660816')">Map System Users To The Appropriate SELinux Role</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm46336714658000" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86613r2_rule"],"DISA CCI":["CCI-002165","CCI-002696"],"DISA SRG":["SRG-OS-000445-GPOS-00199"],"DISA STIG":["RHEL-07-020210"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)","AC-3(4)","AC-4","AC-6","AU-9","SI-6(a)"],"CIS Recommendation":["1.6.1.2"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714658000" onclick="return openRuleDetailsDialog('idm46336714658000')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong> <span class="badge">2x error</span> <span class="badge">17x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Configuring PAM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-pam");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Hashing Algorithm<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_set_password_hashing_algorithm");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-overview-leaf-idm46336714645440" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86545r1_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010210"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["6.3.1"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714645440" onclick="return openRuleDetailsDialog('idm46336714645440')">Set Password Hashing Algorithm in /etc/login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-overview-leaf-idm46336714641440" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86547r2_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010220"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714641440" onclick="return openRuleDetailsDialog('idm46336714641440')">Set Password Hashing Algorithm in /etc/libuser.conf</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-overview-leaf-idm46336714637488" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86543r2_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010200"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["6.3.1"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714637488" onclick="return openRuleDetailsDialog('idm46336714637488')">Set PAM's Password Hashing Algorithm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Lockouts for Failed Password Attempts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_locking_out_password_attempts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-overview-leaf-idm46336714633536" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86569r2_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010330"],"NIST SP 800-53":["AC-7(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714633536" onclick="return openRuleDetailsDialog('idm46336714633536')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-overview-leaf-idm46336714628224" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["AC-7(b)"],"CIS Recommendation":["5.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714628224" onclick="return openRuleDetailsDialog('idm46336714628224')">Set Lockout Time For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-overview-leaf-idm46336714620080" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86557r2_rule"],"DISA CCI":["CCI-000200"],"DISA SRG":["SRG-OS-000077-GPOS-00045"],"DISA STIG":["RHEL-07-010270"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(e)"],"CIS Recommendation":["5.3.3"],"FBI CJIS":["5.6.2.1.1"],"PCI-DSS Requirement":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714620080" onclick="return openRuleDetailsDialog('idm46336714620080')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-overview-leaf-idm46336714609248" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-53":["AC-7(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714609248" onclick="return openRuleDetailsDialog('idm46336714609248')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-overview-leaf-idm46336714603408" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["AC-7(b)"],"CIS Recommendation":["5.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714603408" onclick="return openRuleDetailsDialog('idm46336714603408')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Quality Requirements<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px">Set Password Quality Requirements with pam_pwquality<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality_pwquality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-overview-leaf-idm46336714589136" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86559r1_rule"],"DISA CCI":["CCI-000205"],"DISA SRG":["SRG-OS-000078-GPOS-00046"],"DISA STIG":["RHEL-07-010280"],"NIST SP 800-53":["IA-5(1)(a)"],"CIS Recommendation":["6.3.2"],"FBI CJIS":["5.6.2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714589136" onclick="return openRuleDetailsDialog('idm46336714589136')">Set Password Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-overview-leaf-idm46336714594064" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86541r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010190"],"NIST SP 800-53":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714594064" onclick="return openRuleDetailsDialog('idm46336714594064')">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-overview-leaf-idm46336714577552" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86539r2_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010180"],"NIST SP 800-53":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714577552" onclick="return openRuleDetailsDialog('idm46336714577552')">Set Password Maximum Consecutive Repeating Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-overview-leaf-idm46336714564160" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86531r2_rule"],"DISA CCI":["CCI-000194"],"DISA SRG":["SRG-OS-000071-GPOS-00039"],"DISA STIG":["RHEL-07-010140"],"NIST SP 800-53":["IA-5(1)(a)","IA-5(b)","IA-5(c)","194"],"CIS Recommendation":["6.3.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714564160" onclick="return openRuleDetailsDialog('idm46336714564160')">Set Password Strength Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" id="rule-overview-leaf-idm46336714544256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86537r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010170"],"NIST SP 800-53":["IA-5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714544256" onclick="return openRuleDetailsDialog('idm46336714544256')">Set Password Strength Minimum Different Categories</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-overview-leaf-idm46336714548704" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86535r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010160"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(b)"],"FBI CJIS":["5.6.2.1.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714548704" onclick="return openRuleDetailsDialog('idm46336714548704')">Set Password Strength Minimum Different Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-overview-leaf-idm46336714522304" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86533r1_rule"],"DISA CCI":["CCI-001619"],"DISA SRG":["SRG-OS-000266-GPOS-00101"],"DISA STIG":["RHEL-07-010150"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714522304" onclick="return openRuleDetailsDialog('idm46336714522304')">Set Password Strength Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-overview-leaf-idm46336714527728" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86529r4_rule"],"DISA CCI":["CCI-000193"],"DISA SRG":["SRG-OS-000070-GPOS-00038"],"DISA STIG":["RHEL-07-010130"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714527728" onclick="return openRuleDetailsDialog('idm46336714527728')">Set Password Strength Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-overview-leaf-idm46336714500096" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86527r2_rule"],"DISA CCI":["CCI-000192"],"DISA SRG":["SRG-OS-000069-GPOS-00037"],"DISA STIG":["RHEL-07-010120"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"CIS Recommendation":["6.3.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714500096" onclick="return openRuleDetailsDialog('idm46336714500096')">Set Password Strength Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" id="rule-overview-leaf-idm46336714505536" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87811r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00225"],"DISA STIG":["RHEL-07-010119"],"NIST SP 800-53":["CM-6(b)","IA-5(c)"],"CIS Recommendation":["6.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714505536" onclick="return openRuleDetailsDialog('idm46336714505536')">Set Password Retry Prompts Permitted Per-Session</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_display_login_attempts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-overview-leaf-idm46336714469264" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86899r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040530"],"NIST SP 800-53":["AC-9"],"FBI CJIS":["5.5.2"],"PCI-DSS Requirement":["Req-10.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714469264" onclick="return openRuleDetailsDialog('idm46336714469264')">Set Last Logon/Access Notification</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-overview-leaf-idm46336714460304" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86549r1_rule"],"DISA CCI":["CCI-000198"],"DISA SRG":["SRG-OS-000075-GPOS-00043"],"DISA STIG":["RHEL-07-010230"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)"],"FBI CJIS":["5.6.2.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714460304" onclick="return openRuleDetailsDialog('idm46336714460304')">Set Password Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-overview-leaf-idm46336714454816" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86553r1_rule"],"DISA CCI":["CCI-000199"],"DISA SRG":["SRG-OS-000076-GPOS-00044"],"DISA STIG":["RHEL-07-010250"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(g)","IA-5(1)(d)"],"CIS Recommendation":["5.4.1.1"],"FBI CJIS":["5.6.2.1"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714454816" onclick="return openRuleDetailsDialog('idm46336714454816')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-overview-leaf-idm46336714444816" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86551r1_rule"],"DISA CCI":["CCI-000198"],"DISA SRG":["SRG-OS-000075-GPOS-00043"],"DISA STIG":["RHEL-07-010240"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714444816" onclick="return openRuleDetailsDialog('idm46336714444816')">Set Existing Passwords Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-overview-leaf-idm46336714448256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86555r1_rule"],"DISA CCI":["CCI-000199"],"DISA SRG":["SRG-OS-000076-GPOS-00044"],"DISA STIG":["RHEL-07-010260"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714448256" onclick="return openRuleDetailsDialog('idm46336714448256')">Set Existing Passwords Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-overview-leaf-idm46336714422608" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86629r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020310"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6","IA-2(1)","IA-4"],"CIS Recommendation":["6.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714422608" onclick="return openRuleDetailsDialog('idm46336714422608')">Verify Only Root Has UID 0</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_account_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Set Account Expiration Parameters<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_account_expiration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-overview-leaf-idm46336714414288" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86565r1_rule"],"DISA CCI":["CCI-000795"],"DISA SRG":["SRG-OS-000118-GPOS-00060"],"DISA STIG":["RHEL-07-010310"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["AC-2(2)","AC-2(3)","IA-4(e)"],"FBI CJIS":["5.6.2.1.1"],"PCI-DSS Requirement":["Req-8.1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714414288" onclick="return openRuleDetailsDialog('idm46336714414288')">Set Account Expiration Following Inactivity</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Verify Proper Storage and Existence of Password >Hashes<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_storage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-overview-leaf-idm46336714393888" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86561r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-010290"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6","IA-5(b)","IA-5(c)","IA-5(1)(a)"],"FBI CJIS":["5.5.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714393888" onclick="return openRuleDetailsDialog('idm46336714393888')">Prevent Log In to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-overview-leaf-idm46336714390368" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86627r1_rule"],"DISA CCI":["CCI-000764"],"DISA SRG":["SRG-OS-000104-GPOS-00051"],"DISA STIG":["RHEL-07-020300"],"NIST SP 800-53":["IA-2"],"FBI CJIS":["5.5.2"],"PCI-DSS Requirement":["Req-8.5.a"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714390368" onclick="return openRuleDetailsDialog('idm46336714390368')">All GIDs referenced in /etc/passwd must be defined in /etc/group</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Physical Console Access</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical"><td colspan="3" style="padding-left: 76px"><strong>Configure Screen Locking</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_console_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px">Configure Console Screen Locking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_console_screen_locking");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_screen_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_screen_installed" id="rule-overview-leaf-idm46336714386496" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86521r1_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010090"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714386496" onclick="return openRuleDetailsDialog('idm46336714386496')">Install the screen Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px"><strong>Hardware Tokens for Authentication</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336714382656" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86589r1_rule"],"DISA CCI":["CCI-000765","CCI-000766","CCI-000767","CCI-000768","CCI-000771","CCI-000772","CCI-000884"],"DISA SRG":["SRG-OS-000104-GPOS-00051","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000109-GPOS-00056","SRG-OS-000108-GPOS-00055","SRG-OS-000108-GPOS-00057","SRG-OS-000108-GPOS-00058"],"DISA STIG":["RHEL-07-010500"],"NIST SP 800-53":["IA-2(2)"],"PCI-DSS Requirement":["Req-8.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714382656" onclick="return openRuleDetailsDialog('idm46336714382656')">Enable Smart Card Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_smartcard_packages" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336714357664" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87041r2_rule"],"DISA CCI":["CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-041001"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714357664" onclick="return openRuleDetailsDialog('idm46336714357664')">Install Smart Card Packages For Multifactor Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-overview-leaf-idm46336714372416" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87057r4_rule"],"DISA CCI":["CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-041003"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714372416" onclick="return openRuleDetailsDialog('idm46336714372416')">Configure Smart Card Certificate Status Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idm46336714369824" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92519r1_rule","SV-92519r1_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010481","RHEL-07-010481"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2(1)","AC-3"],"CIS Recommendation":["1.4.3"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714369824" onclick="return openRuleDetailsDialog('idm46336714369824')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-overview-leaf-idm46336714347328" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86617r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020230"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714347328" onclick="return openRuleDetailsDialog('idm46336714347328')">Disable Ctrl-Alt-Del Reboot Activation</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-banners" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Warning Banners for System Accesses<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-banners");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gui_login_banner" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners"><td colspan="3" style="padding-left: 76px">Implement a GUI Warning Banner<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gui_login_banner");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-overview-leaf-idm46336714336880" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"":["OS-SRG-000023-GPOS-00006"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86483r3_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-010030"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["1.7.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714336880" onclick="return openRuleDetailsDialog('idm46336714336880')">Enable GNOME3 Login Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-overview-leaf-idm46336714333056" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86485r3_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-010040"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)"],"CIS Recommendation":["1.7.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714333056" onclick="return openRuleDetailsDialog('idm46336714333056')">Set the GNOME3 Login Warning Banner Text</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_banner_etc_issue" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-overview-leaf-idm46336714323808" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86487r2_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007"],"DISA STIG":["RHEL-07-010050"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["1.7.1.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714323808" onclick="return openRuleDetailsDialog('idm46336714323808')">Modify the System Login Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Secure Session Configuration Files for Login Accounts</strong> <span class="badge">14x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px"><strong>Ensure that Users Have Sensible Umask Values</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" id="rule-overview-leaf-idm46336714306576" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86673r1_rule"],"DISA CCI":["CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021040"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714306576" onclick="return openRuleDetailsDialog('idm46336714306576')">Ensure the Default Umask is Set Correctly For Interactive Users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-overview-leaf-idm46336714304160" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86619r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00228"],"DISA STIG":["RHEL-07-020240"],"NIST SP 800-53":["CM-6(b)","SA-8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714304160" onclick="return openRuleDetailsDialog('idm46336714304160')">Ensure the Default Umask is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" id="rule-overview-leaf-idm46336714293408" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86661r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020730"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714293408" onclick="return openRuleDetailsDialog('idm46336714293408')">User Initialization Files Must Not Run World-Writable Programs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_tmout" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-overview-leaf-idm46336714290528" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86847r3_rule"],"DISA CCI":["CCI-001133","CCI-000361"],"DISA SRG":["SRG-OS-000163-GPOS-00072"],"DISA STIG":["RHEL-07-040160"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-12","SC-10"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714290528" onclick="return openRuleDetailsDialog('idm46336714290528')">Set Interactive Session Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" id="rule-overview-leaf-idm46336714284992" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86653r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020690"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714284992" onclick="return openRuleDetailsDialog('idm46336714284992')">User Initialization Files Must Be Owned By the Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permission_user_init_files" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permission_user_init_files" id="rule-overview-leaf-idm46336714282400" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86657r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020710"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714282400" onclick="return openRuleDetailsDialog('idm46336714282400')">Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" id="rule-overview-leaf-idm46336714278848" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86655r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020700"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714278848" onclick="return openRuleDetailsDialog('idm46336714278848')">User Initialization Files Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" id="rule-overview-leaf-idm46336714275504" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86639r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020620"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714275504" onclick="return openRuleDetailsDialog('idm46336714275504')">All Interactive Users Home Directories Must Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" id="rule-overview-leaf-idm46336714270240" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86649r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020670"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714270240" onclick="return openRuleDetailsDialog('idm46336714270240')">All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" id="rule-overview-leaf-idm46336714267280" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86575r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00226"],"DISA STIG":["RHEL-07-010430"],"NIST SP 800-53":["CM-6(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714267280" onclick="return openRuleDetailsDialog('idm46336714267280')">Ensure the Logon Failure Delay is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" id="rule-overview-leaf-idm46336714248960" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86637r1_rule"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020610"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714248960" onclick="return openRuleDetailsDialog('idm46336714248960')">Ensure Home Directories are Created for New Users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-overview-leaf-idm46336714260560" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86841r1_rule"],"DISA CCI":["CCI-000054"],"DISA SRG":["SRG-OS-000027-GPOS-00008"],"DISA STIG":["RHEL-07-040000"],"NIST SP 800-53":["AC-10"],"FBI CJIS":["5.5.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714260560" onclick="return openRuleDetailsDialog('idm46336714260560')">Limit the Number of Concurrent Login Sessions Allowed Per User</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" id="rule-overview-leaf-idm46336714243040" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86651r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020680"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714243040" onclick="return openRuleDetailsDialog('idm46336714243040')">All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" id="rule-overview-leaf-idm46336714240304" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86659r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020720"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714240304" onclick="return openRuleDetailsDialog('idm46336714240304')">Ensure that Users Path Contains Only Local Directories</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" id="rule-overview-leaf-idm46336714237040" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86645r4_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020650"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714237040" onclick="return openRuleDetailsDialog('idm46336714237040')">All Interactive User Home Directories Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" id="rule-overview-leaf-idm46336714233696" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86635r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020600"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714233696" onclick="return openRuleDetailsDialog('idm46336714233696')">All Interactive Users Must Have A Home Directory Defined</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" id="rule-overview-leaf-idm46336714230240" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86647r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020660"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714230240" onclick="return openRuleDetailsDialog('idm46336714230240')">All User Files and Directories In The Home Directory Must Be Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_home_directories" id="rule-overview-leaf-idm46336714227248" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86643r4_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020640"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714227248" onclick="return openRuleDetailsDialog('idm46336714227248')">All Interactive User Home Directories Must Be Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_home_directories" id="rule-overview-leaf-idm46336714224000" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86641r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020630"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714224000" onclick="return openRuleDetailsDialog('idm46336714224000')">All Interactive User Home Directories Must Have mode 0750 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Verify Permissions on Important Files and >Directories</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714175232" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86633r2_rule"],"DISA CCI":["CCI-002165"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020330"],"NIST SP 800-53":["AC-3(4)","AC-6","IA-2"],"CIS Recommendation":["6.1.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714175232" onclick="return openRuleDetailsDialog('idm46336714175232')">Ensure All Files Are Owned by a Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-overview-leaf-idm46336714171264" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86671r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021030"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714171264" onclick="return openRuleDetailsDialog('idm46336714171264')">Ensure All World-Writable Directories Are Owned by a System Account</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714167328" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86631r2_rule"],"DISA CCI":["CCI-002165"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020320"],"NIST SP 800-53":["AC-3(4)","AC-6","CM-6(b)"],"CIS Recommendation":["6.1.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714167328" onclick="return openRuleDetailsDialog('idm46336714167328')">Ensure All Files Are Owned by a User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Programs from Dangerous Execution Patterns<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Enable ExecShield<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_enable_execshield_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-overview-leaf-idm46336714140560" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92521r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040201"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30(2)"],"CIS Recommendation":["1.5.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714140560" onclick="return openRuleDetailsDialog('idm46336714140560')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Partition Mount Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_partitions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-overview-leaf-idm46336714117104" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86665r3_rule"],"DISA STIG":["RHEL-07-021000"],"NIST SP 800-53":["CM-7","MP-2"],"CIS Recommendation":["1.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714117104" onclick="return openRuleDetailsDialog('idm46336714117104')">Add nosuid Option to /home</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-overview-leaf-idm46336714108880" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86667r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021010"],"NIST SP 800-53":["AC-6","AC-19(a)","AC-19(d)","AC-19(e)","CM-7","MP-2"],"CIS Recommendation":["1.1.19"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714108880" onclick="return openRuleDetailsDialog('idm46336714108880')">Add nosuid Option to Removable Media Partitions</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Dynamic Mounting and Unmounting of >Filesystems<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" id="rule-overview-leaf-idm46336714083168" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86607r2_rule"],"DISA CCI":["CCI-000366","CCI-000778","CCI-001958"],"DISA SRG":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-0016","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020100"],"NIST SP 800-171":["3.1.21"],"NIST SP 800-53":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"],"HIPAA":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.310(d)(1)","164.310(d)(2)","164.312(a)(1)","164.312(a)(2)(iv)","164.312(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714083168" onclick="return openRuleDetailsDialog('idm46336714083168')">Disable Modprobe Loading of USB Storage Driver</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-overview-leaf-idm46336714055344" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86609r1_rule"],"DISA CCI":["CCI-000366","CCI-000778","CCI-001958"],"DISA SRG":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-00163","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020110"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"],"CIS Recommendation":["1.1.22"],"HIPAA":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.310(d)(1)","164.310(d)(2)","164.312(a)(1)","164.312(a)(2)(iv)","164.312(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714055344" onclick="return openRuleDetailsDialog('idm46336714055344')">Disable the Automounter</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with <tt>auditd</tt></strong> <span class="badge">2x error</span> <span class="badge">4x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure <tt>auditd</tt> Data Retention</strong> <span class="badge">4x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" id="rule-overview-leaf-idm46336714043808" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86709r1_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030310"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714043808" onclick="return openRuleDetailsDialog('idm46336714043808')">Encrypt Audit Records Sent With audispd Plugin</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" id="rule-overview-leaf-idm46336714040944" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86707r1_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030300"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714040944" onclick="return openRuleDetailsDialog('idm46336714040944')">Configure audispd Plugin To Send Logs To Remote Server</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" id="rule-overview-leaf-idm46336714037600" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87815r2_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030321"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714037600" onclick="return openRuleDetailsDialog('idm46336714037600')">Configure audispd's Plugin network_failure_action On Network Failure</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" id="rule-overview-leaf-idm46336714029600" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86713r1_rule"],"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"DISA STIG":["RHEL-07-030330"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(b)","IR-5"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714029600" onclick="return openRuleDetailsDialog('idm46336714029600')">Configure auditd space_left on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-overview-leaf-idm46336714024208" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86717r2_rule"],"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"DISA STIG":["RHEL-07-030350"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(1)","AU-5(a)","IR-5"],"CIS Recommendation":["5.2.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"],"PCI-DSS Requirement":["Req-10.7.a"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714024208" onclick="return openRuleDetailsDialog('idm46336714024208')">Configure auditd mail_acct Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" id="rule-overview-leaf-idm46336714019136" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(1)","AU-5(b)","IR-5"],"CIS Recommendation":["5.2.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714019136" onclick="return openRuleDetailsDialog('idm46336714019136')">Configure auditd space_left Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" id="rule-overview-leaf-idm46336714004880" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86711r2_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030320"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714004880" onclick="return openRuleDetailsDialog('idm46336714004880')">Configure audispd's Plugin disk_full_action When Disk Is Full</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure <tt>auditd</tt> Rules for Comprehensive Auditing</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Information on Kernel Modules Loading and Unloading<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_kernel_module_loading");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" id="rule-overview-leaf-idm46336713995024" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86817r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713995024" onclick="return openRuleDetailsDialog('idm46336713995024')">Ensure auditd Collects Information on Kernel Module Unloading - rmmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" id="rule-overview-leaf-idm46336713970336" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86813r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030830"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713970336" onclick="return openRuleDetailsDialog('idm46336713970336')">Ensure auditd Collects Information on Kernel Module Unloading - delete_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" id="rule-overview-leaf-idm46336713986304" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86819r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030860"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713986304" onclick="return openRuleDetailsDialog('idm46336713986304')">Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="rule-overview-leaf-idm46336713961840" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93707r1_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030821"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713961840" onclick="return openRuleDetailsDialog('idm46336713961840')">Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" id="rule-overview-leaf-idm46336713946960" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86815r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030840"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713946960" onclick="return openRuleDetailsDialog('idm46336713946960')">Ensure auditd Collects Information on Kernel Module Loading - insmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" id="rule-overview-leaf-idm46336713967728" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93705r1_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030819"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713967728" onclick="return openRuleDetailsDialog('idm46336713967728')">Ensure auditd Collects Information on Kernel Module Loading - create_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="rule-overview-leaf-idm46336713917920" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86811r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030820"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713917920" onclick="return openRuleDetailsDialog('idm46336713917920')">Ensure auditd Collects Information on Kernel Module Loading - init_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Attempts to Alter Logon and Logout Events<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_login_events");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-overview-leaf-idm46336713894528" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86771r2_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030620"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713894528" onclick="return openRuleDetailsDialog('idm46336713894528')">Record Attempts to Alter Logon and Logout Events - lastlog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-overview-leaf-idm46336713932096" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86769r3_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030610"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713932096" onclick="return openRuleDetailsDialog('idm46336713932096')">Record Attempts to Alter Logon and Logout Events - faillock</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-overview-leaf-idm46336713880896" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86767r2_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030600"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713880896" onclick="return openRuleDetailsDialog('idm46336713880896')">Record Attempts to Alter Logon and Logout Events - tallylog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Events that Modify the System's Discretionary Access Controls<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_dac_actions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" id="rule-overview-leaf-idm46336713847312" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86723r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030380"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713847312" onclick="return openRuleDetailsDialog('idm46336713847312')">Record Events that Modify the System's Discretionary Access Controls - fchown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" id="rule-overview-leaf-idm46336713842288" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86735r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030440"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713842288" onclick="return openRuleDetailsDialog('idm46336713842288')">Record Events that Modify the System's Discretionary Access Controls - setxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-overview-leaf-idm46336713817312" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86721r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030370"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713817312" onclick="return openRuleDetailsDialog('idm46336713817312')">Record Events that Modify the System's Discretionary Access Controls - chown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" id="rule-overview-leaf-idm46336713802224" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86739r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030460"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713802224" onclick="return openRuleDetailsDialog('idm46336713802224')">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-overview-leaf-idm46336713787072" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86729r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030410"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713787072" onclick="return openRuleDetailsDialog('idm46336713787072')">Record Events that Modify the System's Discretionary Access Controls - chmod</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" id="rule-overview-leaf-idm46336713771728" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86733r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030430"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713771728" onclick="return openRuleDetailsDialog('idm46336713771728')">Record Events that Modify the System's Discretionary Access Controls - fchmodat</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" id="rule-overview-leaf-idm46336713756800" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86741r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030470"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713756800" onclick="return openRuleDetailsDialog('idm46336713756800')">Record Events that Modify the System's Discretionary Access Controls - removexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" id="rule-overview-leaf-idm46336713741920" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86743r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030480"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713741920" onclick="return openRuleDetailsDialog('idm46336713741920')">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" id="rule-overview-leaf-idm46336713726688" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86727r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030400"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713726688" onclick="return openRuleDetailsDialog('idm46336713726688')">Record Events that Modify the System's Discretionary Access Controls - fchownat</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" id="rule-overview-leaf-idm46336713711776" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86731r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030420"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713711776" onclick="return openRuleDetailsDialog('idm46336713711776')">Record Events that Modify the System's Discretionary Access Controls - fchmod</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" id="rule-overview-leaf-idm46336713696656" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86745r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030490"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713696656" onclick="return openRuleDetailsDialog('idm46336713696656')">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" id="rule-overview-leaf-idm46336713681648" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86737r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030450"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713681648" onclick="return openRuleDetailsDialog('idm46336713681648')">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" id="rule-overview-leaf-idm46336713666896" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86725r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030390"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713666896" onclick="return openRuleDetailsDialog('idm46336713666896')">Record Events that Modify the System's Discretionary Access Controls - lchown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Execution Attempts to Run SELinux Privileged Commands<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_execution_selinux_commands");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-overview-leaf-idm46336713651424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86765r4_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030590"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713651424" onclick="return openRuleDetailsDialog('idm46336713651424')">Record Any Attempts to Run setfiles</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-overview-leaf-idm46336713634224" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86761r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030570"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713634224" onclick="return openRuleDetailsDialog('idm46336713634224')">Record Any Attempts to Run setsebool</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-overview-leaf-idm46336713829440" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86759r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030560"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713829440" onclick="return openRuleDetailsDialog('idm46336713829440')">Record Any Attempts to Run semanage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-overview-leaf-idm46336713833408" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86763r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030580"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713833408" onclick="return openRuleDetailsDialog('idm46336713833408')">Record Any Attempts to Run chcon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record File Deletion Events by User<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_file_deletion_events");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" id="rule-overview-leaf-idm46336713590384" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86827r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713590384" onclick="return openRuleDetailsDialog('idm46336713590384')">Ensure auditd Collects File Deletion Events by User - rmdir</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" id="rule-overview-leaf-idm46336713616672" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86831r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030920"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713616672" onclick="return openRuleDetailsDialog('idm46336713616672')">Ensure auditd Collects File Deletion Events by User - unlinkat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" id="rule-overview-leaf-idm46336713620352" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86823r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030880"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713620352" onclick="return openRuleDetailsDialog('idm46336713620352')">Ensure auditd Collects File Deletion Events by User - rename</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" id="rule-overview-leaf-idm46336713567152" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86825r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030890"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713567152" onclick="return openRuleDetailsDialog('idm46336713567152')">Ensure auditd Collects File Deletion Events by User - renameat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" id="rule-overview-leaf-idm46336713569424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86829r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713569424" onclick="return openRuleDetailsDialog('idm46336713569424')">Ensure auditd Collects File Deletion Events by User - unlink</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on the Use of Privileged Commands</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" id="rule-overview-leaf-idm46336713512704" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86797r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030750"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713512704" onclick="return openRuleDetailsDialog('idm46336713512704')">Ensure auditd Collects Information on the Use of Privileged Commands - umount</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" id="rule-overview-leaf-idm46336713497248" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86773r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030630"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713497248" onclick="return openRuleDetailsDialog('idm46336713497248')">Ensure auditd Collects Information on the Use of Privileged Commands - passwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" id="rule-overview-leaf-idm46336713482592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86801r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030770"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713482592" onclick="return openRuleDetailsDialog('idm46336713482592')">Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" id="rule-overview-leaf-idm46336713468048" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86779r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030660"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713468048" onclick="return openRuleDetailsDialog('idm46336713468048')">Ensure auditd Collects Information on the Use of Privileged Commands - chage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336713452976" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86719r5_rule"],"DISA CCI":["CCI-002234"],"DISA SRG":["SRG-OS-000327-GPOS-00127"],"DISA STIG":["RHEL-07-030360"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-2(4)","AU-6(9)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"PCI-DSS Requirement":["Req-10.2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713452976" onclick="return openRuleDetailsDialog('idm46336713452976')">Ensure auditd Collects Information on the Use of Privileged Commands</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" id="rule-overview-leaf-idm46336713426064" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86781r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030670"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713426064" onclick="return openRuleDetailsDialog('idm46336713426064')">Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" id="rule-overview-leaf-idm46336713538864" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86803r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030780"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713538864" onclick="return openRuleDetailsDialog('idm46336713538864')">Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" id="rule-overview-leaf-idm46336713419360" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86793r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030730"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713419360" onclick="return openRuleDetailsDialog('idm46336713419360')">Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" id="rule-overview-leaf-idm46336713388560" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86783r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030680"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713388560" onclick="return openRuleDetailsDialog('idm46336713388560')">Ensure auditd Collects Information on the Use of Privileged Commands - su</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" id="rule-overview-leaf-idm46336713377424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86809r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030810"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713377424" onclick="return openRuleDetailsDialog('idm46336713377424')">Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-overview-leaf-idm46336713401584" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86785r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030690"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713401584" onclick="return openRuleDetailsDialog('idm46336713401584')">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" id="rule-overview-leaf-idm46336713407360" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86789r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030710"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713407360" onclick="return openRuleDetailsDialog('idm46336713407360')">Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" id="rule-overview-leaf-idm46336713332848" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86807r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030800"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713332848" onclick="return openRuleDetailsDialog('idm46336713332848')">Ensure auditd Collects Information on the Use of Privileged Commands - crontab</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" id="rule-overview-leaf-idm46336713318016" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86777r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030650"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713318016" onclick="return openRuleDetailsDialog('idm46336713318016')">Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" id="rule-overview-leaf-idm46336713303184" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86775r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030640"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713303184" onclick="return openRuleDetailsDialog('idm46336713303184')">Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" id="rule-overview-leaf-idm46336713356768" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86799r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030760"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713356768" onclick="return openRuleDetailsDialog('idm46336713356768')">Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" id="rule-overview-leaf-idm46336713362736" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86791r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030720"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713362736" onclick="return openRuleDetailsDialog('idm46336713362736')">Ensure auditd Collects Information on the Use of Privileged Commands - chsh</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Unauthorized Access Attempts Events to Files (unsuccessful)<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" id="rule-overview-leaf-idm46336713258800" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86753r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030530"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713258800" onclick="return openRuleDetailsDialog('idm46336713258800')">Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" id="rule-overview-leaf-idm46336713282656" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86749r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030510"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713282656" onclick="return openRuleDetailsDialog('idm46336713282656')">Record Unauthorized Access Attempts to Files (unsuccessful) - open</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" id="rule-overview-leaf-idm46336713286336" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86747r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030500"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713286336" onclick="return openRuleDetailsDialog('idm46336713286336')">Record Unauthorized Access Attempts to Files (unsuccessful) - creat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" id="rule-overview-leaf-idm46336713241328" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86757r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030550"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713241328" onclick="return openRuleDetailsDialog('idm46336713241328')">Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" id="rule-overview-leaf-idm46336713229632" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86755r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030540"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713229632" onclick="return openRuleDetailsDialog('idm46336713229632')">Record Unauthorized Access Attempts to Files (unsuccessful) - truncate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" id="rule-overview-leaf-idm46336713235472" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86751r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030520"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713235472" onclick="return openRuleDetailsDialog('idm46336713235472')">Record Unauthorized Access Attempts to Files (unsuccessful) - openat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" id="rule-overview-leaf-idm46336713110544" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87823r3_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030873"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713110544" onclick="return openRuleDetailsDialog('idm46336713110544')">Record Events that Modify User/Group Information - /etc/shadow</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" id="rule-overview-leaf-idm46336713130800" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87819r3_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030872"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713130800" onclick="return openRuleDetailsDialog('idm46336713130800')">Record Events that Modify User/Group Information - /etc/gshadow</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_media_export" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_media_export" id="rule-overview-leaf-idm46336713142880" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86795r5_rule"],"DISA CCI":["CCI-000135","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030740"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-3(1)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.13"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713142880" onclick="return openRuleDetailsDialog('idm46336713142880')">Ensure auditd Collects Information on Exporting to Media (successful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" id="rule-overview-leaf-idm46336713056000" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87825r4_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030874"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713056000" onclick="return openRuleDetailsDialog('idm46336713056000')">Record Events that Modify User/Group Information - /etc/security/opasswd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-overview-leaf-idm46336713038528" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86787r4_rule"],"DISA CCI":["CCI-000126","CCI-000130","CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030700"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(7)(b)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","iAU-3(1)","AU-12(a)","AU-12(c)","IR-5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.2","Req-10.2.5.b"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713038528" onclick="return openRuleDetailsDialog('idm46336713038528')">Ensure auditd Collects System Administrator Actions</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" id="rule-overview-leaf-idm46336713034784" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86705r3_rule"],"DISA CCI":["CCI-000139"],"DISA SRG":["SRG-OS-000046-GPOS-00022","SRG-OS-000047-GPOS-00023"],"DISA STIG":["RHEL-07-030010"],"NIST SP 800-171":["3.3.1","3.3.4"],"NIST SP 800-53":["AU-5","AU-5(a)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713034784" onclick="return openRuleDetailsDialog('idm46336713034784')">Shutdown System When Auditing Failures Occur</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-overview-leaf-idm46336713062336" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86821r4_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000476-GPOS-00221"],"DISA STIG":["RHEL-07-030870"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713062336" onclick="return openRuleDetailsDialog('idm46336713062336')">Record Events that Modify User/Group Information - /etc/passwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" id="rule-overview-leaf-idm46336713016640" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87817r2_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030871"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713016640" onclick="return openRuleDetailsDialog('idm46336713016640')">Record Events that Modify User/Group Information - /etc/group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336713011568" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86703r2_rule"],"DISA CCI":["CCI-000126","CCI-000131"],"DISA SRG":["SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000042-GPOS-00021","SRG-OS-000254-GPOS-00095","SRG-OS-000255-GPOS-00096"],"DISA STIG":["RHEL-07-030000"],"NIST SP 800-171":["3.3.1","3.3.2","3.3.6"],"NIST SP 800-53":["AU-3","AC-17(1)","AU-1(b)","AU-10","AU-12(a)","AU-12(c)","AU-14(1)","IR-5"],"CIS Recommendation":["4.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(C)","164.310(a)(2)(iv)","164.310(d)(2)(iii)","164.312(b)"],"PCI-DSS Requirement":["Req-10"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336713011568" onclick="return openRuleDetailsDialog('idm46336713011568')">Enable auditd Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">3x fail</span> <span class="badge">1x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Disk Partitioning<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disk_partitioning");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idm46336712984736" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86683r1_rule"],"DISA CCI":["CCI-000366","CCI-001208"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021310"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.13"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712984736" onclick="return openRuleDetailsDialog('idm46336712984736')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-overview-leaf-idm46336712979024" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86685r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021320"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712979024" onclick="return openRuleDetailsDialog('idm46336712979024')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-overview-leaf-idm46336712975136" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86689r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021340"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712975136" onclick="return openRuleDetailsDialog('idm46336712975136')">Ensure /tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-overview-leaf-idm46336712971248" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86687r5_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021330"],"NIST SP 800-53":["AU-4","AU-9","SC-32(1)"],"CIS Recommendation":["1.1.12"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712971248" onclick="return openRuleDetailsDialog('idm46336712971248')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Sudo<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_sudo");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm46336712962976" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86573r2_rule"],"DISA CCI":["CCI-002038"],"DISA SRG":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"DISA STIG":["RHEL-07-010350"],"NIST SP 800-53":["IA-11"],"ANSSI":["NT28(R5)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712962976" onclick="return openRuleDetailsDialog('idm46336712962976')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-overview-leaf-idm46336712959008" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86571r2_rule"],"DISA CCI":["CCI-002038"],"DISA SRG":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"DISA STIG":["RHEL-07-010340"],"NIST SP 800-53":["IA-11"],"ANSSI":["NT28(R5)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712959008" onclick="return openRuleDetailsDialog('idm46336712959008')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System and Software Integrity</strong> <span class="badge">2x fail</span> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_certified-vendor" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_certified-vendor" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Operating System Vendor Support and Certification<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_certified-vendor");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_installed_OS_is_certified" id="rule-overview-leaf-idm46336712955120" data-tt-parent-id="xccdf_org.ssgproject.content_group_certified-vendor" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86621r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020250"],"NIST SP 800-53":["SI-2(c)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712955120" onclick="return openRuleDetailsDialog('idm46336712955120')">The Installed Operating System Is Vendor Supported and Certified</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Federal Information Processing Standard (FIPS)</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336712949344" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86691r3_rule"],"DISA CCI":["CCI-000068","CCI-002450"],"DISA SRG":["SRG-OS-000033-GPOS-00014","SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"DISA STIG":["RHEL-07-021350"],"NIST SP 800-171":["3.13.8","3.13.11"],"NIST SP 800-53":["AC-17(2)"],"FBI CJIS":["5.10.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712949344" onclick="return openRuleDetailsDialog('idm46336712949344')">Enable FIPS Mode in GRUB2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_endpoint_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_endpoint_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Endpoint Protection Software</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mcafee_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mcafee_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_endpoint_security_software"><td colspan="3" style="padding-left: 95px"><strong>McAfee Endpoint Security Software</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712923968" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86839r2_rule"],"DISA CCI":["CCI-000366","CCI-001239","CCI-001668"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-032010"],"NIST SP 800-53":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712923968" onclick="return openRuleDetailsDialog('idm46336712923968')">Virus Scanning Software Definitions Are Updated</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712919088" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86837r2_rule"],"DISA CCI":["CCI-000366","CCI-001239","CCI-001668"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-032000"],"NIST SP 800-53":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712919088" onclick="return openRuleDetailsDialog('idm46336712919088')">Install McAfee Virus Scanning Software</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Software Integrity Checking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_software-integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with RPM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rpm_verification");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-overview-leaf-idm46336712908304" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86473r2_rule"],"DISA CCI":["CCI-001494","CCI-001496"],"DISA SRG":["SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"DISA STIG":["RHEL-07-010010"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["AC-6","AU-9(1)","AU-9(3)","CM-6(d)","CM-6(3)"],"CIS Recommendation":["1.2.6","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.3"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712908304" onclick="return openRuleDetailsDialog('idm46336712908304')">Verify and Correct File Permissions with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-overview-leaf-idm46336712904352" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"DISA CCI":["CCI-001494","CCI-001496"],"DISA SRG":["SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"DISA STIG":["RHEL-07-TBD"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["AC-6","AU-9(1)","AU-9(3)","CM-6(d)","CM-6(3)"],"CIS Recommendation":["1.2.6","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.3"],"FBI CJIS":["5.10.4.1"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712904352" onclick="return openRuleDetailsDialog('idm46336712904352')">Verify and Correct Ownership with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-overview-leaf-idm46336712900464" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86479r2_rule"],"DISA CCI":["CCI-000663"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-010020"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(3)","SI-7(1)"],"CIS Recommendation":["1.2.6"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712900464" onclick="return openRuleDetailsDialog('idm46336712900464')">Verify File Hashes with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with AIDE<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_aide");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-overview-leaf-idm46336712896576" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-3(d)","CM-3(e)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"CIS Recommendation":["1.3.1"],"FBI CJIS":["5.10.1.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712896576" onclick="return openRuleDetailsDialog('idm46336712896576')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-overview-leaf-idm46336712892672" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86695r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021610"],"NIST SP 800-53":["SI-7.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712892672" onclick="return openRuleDetailsDialog('idm46336712892672')">Configure AIDE to Verify Extended Attributes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_acls" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-overview-leaf-idm46336712887072" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86693r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021600"],"NIST SP 800-53":["SI-7.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712887072" onclick="return openRuleDetailsDialog('idm46336712887072')">Configure AIDE to Verify Access Control Lists (ACLs)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" id="rule-overview-leaf-idm46336712874832" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86697r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021620"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["SI-7(1)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712874832" onclick="return openRuleDetailsDialog('idm46336712874832')">Configure AIDE to Use FIPS 140-2 for Validating Hashes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_scan_notification" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-overview-leaf-idm46336712876864" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86599r1_rule"],"DISA CCI":["CCI-001744"],"DISA SRG":["SRG-OS-000363-GPOS-00150"],"DISA STIG":["RHEL-07-020040"],"NIST SP 800-53":["CM-3(5)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712876864" onclick="return openRuleDetailsDialog('idm46336712876864')">Configure Notification of Post-AIDE Scan Details</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-overview-leaf-idm46336712858480" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86597r1_rule"],"DISA CCI":["CCI-001744"],"DISA SRG":["SRG-OS-000363-GPOS-00150"],"DISA STIG":["RHEL-07-020030"],"NIST SP 800-53":["CM-3(d)","CM-3(e)","CM-3(5)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"CIS Recommendation":["1.3.2"],"FBI CJIS":["5.10.1.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712858480" onclick="return openRuleDetailsDialog('idm46336712858480')">Configure Periodic Execution of AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm46336712846512" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86623r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020260"],"NIST SP 800-53":["SI-2","SI-2(c)","MA-1(b)"],"CIS Recommendation":["1.8"],"FBI CJIS":["5.10.4.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712846512" onclick="return openRuleDetailsDialog('idm46336712846512')">Ensure Software Patches Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712839984" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86605r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020070"],"NIST SP 800-53":["CM-5(3)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712839984" onclick="return openRuleDetailsDialog('idm46336712839984')">Ensure gpgcheck Enabled for Repository Metadata</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_clean_components_post_updating" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-overview-leaf-idm46336712836016" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86611r1_rule"],"DISA CCI":["CCI-002617"],"DISA SRG":["SRG-OS-000437-GPOS-00194"],"DISA STIG":["RHEL-07-020200"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["SI-2(6)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712836016" onclick="return openRuleDetailsDialog('idm46336712836016')">Ensure YUM Removes Previous Package Versions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm46336712817408" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86601r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020050"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","MA-1(b)"],"CIS Recommendation":["1.2.2"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712817408" onclick="return openRuleDetailsDialog('idm46336712817408')">Ensure gpgcheck Enabled In Main Yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-overview-leaf-idm46336712827936" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86603r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020060"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712827936" onclick="return openRuleDetailsDialog('idm46336712827936')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">GNOME Desktop Environment<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">Configure GNOME Screen Locking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_screen_locking");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" id="rule-overview-leaf-idm46336712816080" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87809r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-00029-GPOS-0010"],"DISA STIG":["RHEL-07-010082"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712816080" onclick="return openRuleDetailsDialog('idm46336712816080')">Ensure Users Cannot Change GNOME3 Session Idle Settings</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" id="rule-overview-leaf-idm46336712812288" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["OS-SRG-000029-GPOS-00010"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86525r2_rule"],"DISA CCI":["CCI-000056"],"DISA STIG":["RHEL-07-010110"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712812288" onclick="return openRuleDetailsDialog('idm46336712812288')">Set GNOME3 Screensaver Lock Delay After Activation Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" id="rule-overview-leaf-idm46336712801968" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87807r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-00029-GPOS-0010"],"DISA STIG":["RHEL-07-010081"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712801968" onclick="return openRuleDetailsDialog('idm46336712801968')">Ensure Users Cannot Change GNOME3 Screensaver Settings</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-overview-leaf-idm46336712796224" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86523r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010100"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712796224" onclick="return openRuleDetailsDialog('idm46336712796224')">Enable GNOME3 Screensaver Idle Activation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" id="rule-overview-leaf-idm46336712790592" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86517r4_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010070"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712790592" onclick="return openRuleDetailsDialog('idm46336712790592')">Set GNOME3 Screensaver Inactivity Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" id="rule-overview-leaf-idm46336712785776" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93701r1_rule"],"DISA CCI":["CCI-000056"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010062"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(b)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712785776" onclick="return openRuleDetailsDialog('idm46336712785776')">Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-overview-leaf-idm46336712776256" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["OS-SRG-000030-GPOS-00011"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86515r4_rule"],"DISA CCI":["CCI-000056"],"DISA SRG":["SRG-OS-000028-GPOS-00009"],"DISA STIG":["RHEL-07-010060"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(b)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712776256" onclick="return openRuleDetailsDialog('idm46336712776256')">Enable GNOME3 Screensaver Lock After Idle Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" id="rule-overview-leaf-idm46336712771440" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93703r1_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010101"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712771440" onclick="return openRuleDetailsDialog('idm46336712771440')">Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_login_screen" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_login_screen" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">Configure GNOME Login Screen<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_login_screen");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-overview-leaf-idm46336712743024" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92515r1_rule"],"DISA CCI":["CCI-000765","CCI-000766","CCI-000767","CCI-000768","CCI-000771","CCI-000772","CCI-000884","CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-010061"],"PCI-DSS Requirement":["Req-8.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712743024" onclick="return openRuleDetailsDialog('idm46336712743024')">Enable the GNOME3 Login Smartcard Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-overview-leaf-idm46336712734704" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86577r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010440"],"NIST SP 800-171":["3.1.1"],"NIST SP 800-53":["CM-6(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712734704" onclick="return openRuleDetailsDialog('idm46336712734704')">Disable GDM Automatic Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-overview-leaf-idm46336712723840" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86579r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010450"],"NIST SP 800-171":["3.1.1"],"NIST SP 800-53":["CM-6(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712723840" onclick="return openRuleDetailsDialog('idm46336712723840')">Disable GDM Guest Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_host_based_files" id="rule-detail-idm46336716330976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files highCCE-80513-5 </div><div class="panel-heading"><h3 class="panel-title">Remove Host-Based Authentication Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_host_based_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:26</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80513-5">CCE-80513-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>shosts.equiv</code> file list remote hosts >and users that are trusted by the local system. >To remove these files, run the following command to delete them from any >location: ><pre>$ sudo rm /[path]/[to]/[file]/shosts.equiv</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The shosts.equiv files are used to configure host-based authentication for the >system via SSH. Host-based authentication is not sufficient for preventing >unauthorized access to the system, as it does not require interactive >identification and authentication of a connection request, or for the use of >two-factor authentication.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files" id="rule-detail-idm46336716324560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files highCCE-80514-3 </div><div class="panel-heading"><h3 class="panel-title">Remove User Host-Based Authentication Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_user_host_based_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80514-3">CCE-80514-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>~/.shosts</code> (in each user's home directory) files >list remote hosts and users that are trusted by the >local system. To remove these files, run the following command >to delete them from any location: ><pre>$ sudo rm ~/.shosts</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The .shosts files are used to configure host-based authentication for >individual users or the system via SSH. Host-based authentication is not >sufficient for preventing unauthorized access to the system, as it does not >require interactive identification and authentication of a connection request, >or for the use of two-factor authentication.false</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm46336716320592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-27342-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27342-5">CCE-27342-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsh-server</code> package can be uninstalled with >the following command: ><pre>$ sudo yum erase rsh-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rsh-server</code> service provides unencrypted remote access service which does not >provide for the confidentiality and integrity of user passwords or the remote session and has very weak >authentication. If a privileged user were to login using this service, the privileged user password >could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure >network services. Removing it decreases the risk of those services' accidental (or intentional) >activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm46336716309104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-27165-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27165-0">CCE-27165-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>telnet-server</code> package can be uninstalled with >the following command: ><pre>$ sudo yum erase telnet-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>It is detrimental for operating systems to provide, or install by default, functionality exceeding >requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore >may remain unsecure. They increase the risk to the platform by providing additional attack vectors. ><br> >The telnet service provides an unencrypted remote access service which does not provide for the >confidentiality and integrity of user passwords or the remote session. If a privileged user were >to login using this service, the privileged user password could be compromised. ><br> >Removing the <code>telnet-server</code> package decreases the risk of the telnet service's accidental >(or intentional) activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-detail-idm46336716300096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-27399-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall ypserv Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypserv_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27399-5">CCE-27399-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86593r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.16</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ypserv</code> package can be uninstalled with >the following command: ><pre>$ sudo yum erase ypserv</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The NIS service provides an unencrypted authentication service which does not >provide for the confidentiality and integrity of user passwords or the remote session. > >Removing the <code>ypserv</code> package decreases the risk of the accidental (or intentional) >activation of NIS or NIS+ services.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-detail-idm46336716291120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-80213-2 </div><div class="panel-heading"><h3 class="panel-title">Uninstall tftp-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80213-2">CCE-80213-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>tftp-server</code> package can be removed with the following command: <pre>$ sudo yum erase tftp-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Removing the <code>tftp-server</code> package decreases the risk of the >accidental (or intentional) activation of tftp services. ><br><br> >If TFTP is required for operational support (such as transmission of router configurations), >its use must be documented with the Information Systems Securty Manager (ISSM), restricted to >only authorized personnel, and have access control rules established.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-detail-idm46336716287152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode mediumCCE-80214-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure tftp Daemon Uses Secure Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80214-0">CCE-80214-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86929r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If running the <code>tftp</code> service is necessary, it should be configured >to change its root directory at startup. To do so, ensure ><code>/etc/xinetd.d/tftp</code> includes <code>-s</code> as a command line argument, as shown in >the following example (which is also the default): ><pre>server_args = -s /var/lib/tftpboot</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using the <code>-s</code> option causes the TFTP service to only serve files from the >given directory. Serving files from an intentionally-specified directory >reduces the risk of sharing files which should remain private.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-detail-idm46336716249152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-80245-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall vsftpd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_vsftpd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80245-4">CCE-80245-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86923r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>vsftpd</code> package can be removed with the following command: <pre>$ sudo yum erase vsftpd</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Removing the vsftpd package decreases the risk of its >accidental activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-detail-idm46336716242704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Default SNMP Password Is Not Usedxccdf_org.ssgproject.content_rule_snmpd_not_default_password highCCE-27386-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Default SNMP Password Is Not Used</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_not_default_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27386-2">CCE-27386-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040800</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86937r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5.1(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of ><code>public</code> and <code>private</code>. >Once the default community strings have been changed, restart the SNMP service: ><pre>$ sudo service snmpd restart</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Whether active or not, default simple network management protocol (SNMP) community >strings must be changed to maintain security. If the service is running with the >default authenticators, then anyone can gather data about the system and the network >and use the information to potentially compromise the integrity of the system and >network(s).</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" id="rule-detail-idm46336716233696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Group Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_groupowner_cron_allow mediumCCE-80379-1 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns /etc/cron.allow file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80379-1">CCE-80379-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021120</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86679r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. > >To properly set the group owner of <code>/etc/cron.allow</code>, run the command: ><pre>$ sudo chgrp root /etc/cron.allow</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the owner of the cron.allow file is not set to root, the possibility exists for an >unauthorized user to view or edit sensitive information.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_cron_allow" id="rule-detail-idm46336716229728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_owner_cron_allow mediumCCE-80378-3 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns /etc/cron.allow file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_cron_allow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80378-3">CCE-80378-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86677r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. > >To properly set the owner of <code>/etc/cron.allow</code>, run the command: ><pre>$ sudo chown root /etc/cron.allow </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the owner of the cron.allow file is not set to root, the possibility exists for an >unauthorized user to view or edit sensitive information.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-detail-idm46336716215728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove the X Windows Package Groupxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed mediumCCE-27218-7 </div><div class="panel-heading"><h3 class="panel-title">Remove the X Windows Package Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27218-7">CCE-27218-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86931r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By removing the xorg-x11-server-common package, the system no longer has X Windows >installed. If X Windows is not installed then the system cannot boot into graphical user mode. >This prevents the system from being accidentally or maliciously booted into a <code>graphical.target</code> >mode. To do so, run the following command: ><pre>$ sudo yum groupremove "X Window System"</pre> ><pre>$ sudo yum remove xorg-x11-server-common</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security >vulnerabilities and should not be installed unless approved and documented.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" id="rule-detail-idm46336716008032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend Client CA Certificate Locationxccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir mediumCCE-80515-0 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend Client CA Certificate Location</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80515-0">CCE-80515-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040190</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86853r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure SSSD to implement cryptography to protect the >integrity of LDAP remote access sessions. By setting >the <pre>ldap_tls_cacertdir</pre> option in <pre>/etc/sssd/sssd.conf</pre> >to point to the path for the X.509 certificates used for peer authentication. ><pre>ldap_tls_cacertdir /path/to/tls/cacert</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be altered by >unauthorized users without detection. ><br><br> >Cryptographic mechanisms used for >protecting the integrity of information include, for example, signed hash >functions using asymmetric cryptography enabling distribution of the public key >to verify the hash information while maintaining the confidentiality of the key >used to generate the hash.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" id="rule-detail-idm46336716002768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend to Use TLS For All Transactionsxccdf_org.ssgproject.content_rule_sssd_ldap_start_tls mediumCCE-80546-5 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend to Use TLS For All Transactions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80546-5">CCE-80546-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040180</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86851r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>This check verifies that RHEL7 implements cryptography >to protect the integrity of remote LDAP authentication sessions. ><br><br> >To determine if LDAP is being used for authentication, use the following >command: ><pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre> ><br><br> >If <code>USELDAPAUTH=yes</code>, then LDAP is being used. To check if LDAP is >configured to use TLS, use the following command: ><pre>$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be >altered by unauthorized users without detection. The ssl directive specifies >whether to use TLS or not. If not specified it will default to no. >It should be set to start_tls rather than doing LDAP over SSL.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" id="rule-detail-idm46336715997088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend Client CA Certificatexccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca mediumCCE-80516-8 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend Client CA Certificate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80516-8">CCE-80516-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86855r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure SSSD to implement cryptography to protect the >integrity of LDAP remote access sessions. By setting >the <pre>ldap_tls_cacert</pre> option in <pre>/etc/sssd/sssd.conf</pre> >to point to the path for the X.509 certificates used for peer authentication. ><pre>ldap_tls_cacert /path/to/tls/ca.cert</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be altered by >unauthorized users without detection. ><br><br> >Cryptographic mechanisms used for >protecting the integrity of information include, for example, signed hash >functions using asymmetric cryptography enabling distribution of the public key >to verify the hash information while maintaining the confidentiality of the key >used to generate the hash.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" id="rule-detail-idm46336715991328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure PAM in SSSD Servicesxccdf_org.ssgproject.content_rule_sssd_enable_pam_services mediumCCE-80437-7 </div><div class="panel-heading"><h3 class="panel-title">Configure PAM in SSSD Services</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_enable_pam_services</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80437-7">CCE-80437-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041002</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87051r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001948</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001953</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(11)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00161</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00162</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSSD should be configured to run SSSD <code>pam</code> services. >To configure SSSD to known SSH hosts, add <code>pam</code> >to <code>services</code> under the <code>[sssd]</code> section in ><code>/etc/sssd/sssd.conf</code>. For example: ><pre>[sssd] >services = sudo, autofs, pam ></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from >the information system, ensures that even if the information system is >compromised, that compromise will not affect credentials stored on the >authentication device.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" id="rule-detail-idm46336715966816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll unknownCCE-80439-3 </div><div class="panel-heading"><h3 class="panel-title">Configure Time Service Maxpoll Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80439-3">CCE-80439-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86893r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001891</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002046</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000355-GPOS-00143</a>, <a href="">SRG-OS-000356-GPOS-00144</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>maxpoll</code> should be configured to ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll">10</abbr> in <code>/etc/ntp.conf</code> or ><code>/etc/chrony.conf</code> to continuously poll time servers. To configure ><code>maxpoll</code> in <code>/etc/ntp.conf</code> or <code>/etc/chrony.conf</code> >add the following: ><pre>maxpoll <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll">10</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Inaccurate time stamps make it more difficult to correlate >events and can lead to an inaccurate analysis. Determining the correct >time a particular event occurred on a system is critical when conducting >forensic analysis and investigating system events. Sources outside the >configured acceptable allowance (drift) may be inaccurate.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_kdump_disabled" id="rule-detail-idm46336715902496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80258-7 </div><div class="panel-heading"><h3 class="panel-title">Disable KDump Kernel Crash Analyzer (kdump)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_kdump_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80258-7">CCE-80258-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86681r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> >system call to boot a secondary kernel ("capture" kernel) following a system >crash, which can load information from the crashed kernel for analysis. > >The <code>kdump</code> service can be disabled with the following command: ><pre>$ sudo systemctl disable kdump.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kernel core dumps may contain the full contents of system memory at the time of the crash. >Kernel core dumps consume a considerable amount of disk space and may result in denial of >service by exhausting the available space on the target file system partition. >Unless the system is used for kernel development or testing, there >is little need to run the kdump service.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. >Removed /etc/systemd/system/multi-user.target.wants/kdump.service. >Running in chroot, ignoring request. ></message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336736182512">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736182512"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> >SYSTEMCTL_EXEC='/usr/bin/systemctl' >"$SYSTEMCTL_EXEC" stop 'kdump.service' >"$SYSTEMCTL_EXEC" disable 'kdump.service' ># Disable socket activation if we have a unit file for it >"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket\>' && "$SYSTEMCTL_EXEC" disable 'kdump.socket' ># The service may not be running because it has been started and failed, ># so let's reset the state so OVAL checks pass. ># Service should be 'inactive', not 'failed' after reboot though. >"$SYSTEMCTL_EXEC" reset-failed 'kdump.service' ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336736161248">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736161248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable service kdump > service: > name: "{{item}}" > enabled: "no" > state: "stopped" > register: service_result > failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" > with_items: > - kdump > tags: > - service_kdump_disabled > - medium_severity > - disable_strategy > - low_complexity > - low_disruption > - CCE-80258-7 > - NIST-800-53-AC-17(8) > - NIST-800-53-CM-7 > - NIST-800-53-CM-6(b) > - DISA-STIG-RHEL-07-021300 > > >- name: Disable socket of service kdump if applicable > service: > name: "{{item}}" > enabled: "no" > state: "stopped" > register: socket_result > failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" > with_items: > - kdump.socket > tags: > - service_kdump_disabled > - medium_severity > - disable_strategy > - low_complexity > - low_disruption > - CCE-80258-7 > - NIST-800-53-AC-17(8) > - NIST-800-53-CM-7 > - NIST-800-53-CM-6(b) > - DISA-STIG-RHEL-07-021300 ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Anaconda snippet:</span>   <a data-toggle="collapse" data-target="#idm46336736176048">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736176048"><pre><code> >kdump --disable ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" id="rule-detail-idm46336715876112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Unrestricted Mail Relayingxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay mediumCCE-80512-7 </div><div class="panel-heading"><h3 class="panel-title">Prevent Unrestricted Mail Relaying</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80512-7">CCE-80512-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86921r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections >to the local network with the following command: ><pre>$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If unrestricted mail relaying is permitted, unauthorized senders could use this >host as a mail relay for the purpose of sending spam or other unauthorized >activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-detail-idm46336715816192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with Kerberos Securityxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems mediumCCE-27458-9 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with Kerberos Security</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27458-9">CCE-27458-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040750</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86935r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-14(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of >any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle >requests from the remote user. The userid and groupid could mistakenly or maliciously be set >incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client >systems to more securely authenticate the remote mount request.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" id="rule-detail-idm46336715812208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems mediumCCE-80436-9 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with noexec</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80436-9">CCE-80436-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021021</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87813r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of >any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The noexec mount option causes the system not to execute binary files. This option must be used >for mounting any file system not containing approved binary files as they may be incompatible. Executing >files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized >administrative access.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-detail-idm46336715808272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-80240-5 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with nosuid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80240-5">CCE-80240-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86669r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of >any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables >should be installed to their default location on the local filesystem.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idm46336715766960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80222-3 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Strict Mode Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80222-3">CCE-80222-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86887r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSHs StrictModes option checks file and ownership permissions in >the user's home directory <code>.ssh</code> folder before accepting login. If world- >writable permissions are found, logon is rejected. To enable StrictModes in SSH, >add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: ><pre>StrictModes yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If other users have access to modify user-specific SSH configuration files, they >may be able to log into the system as another user.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-detail-idm46336715762144"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-80372-6 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for User Known Hosts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80372-6">CCE-80372-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040380</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86873r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can allow system users user host-based authentication to connect >to systems if a cache of the remote systems public keys are available. >This should be disabled. ><br><br> >To ensure this behavior is disabled, add or correct the >following line in <code>/etc/ssh/sshd_config</code>: ><pre>IgnoreUserKnownHosts yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional >assurance that remove login via SSH will require a password, even >in the event of misconfiguration elsewhere.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idm46336715744304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-27471-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27471-2">CCE-27471-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To explicitly disallow SSH login from accounts with >empty passwords, add or correct the following line in <code>/etc/ssh/sshd_config</code>: ><br> ><pre>PermitEmptyPasswords no</pre> ><br> >Any accounts with empty passwords should be disabled immediately, and PAM configuration >should prevent users from being able to assign themselves empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional assurance that >remote login via SSH will require a password, even in the event of >misconfiguration elsewhere.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idm46336715734672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Client Alive Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-27082-7 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Count</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27082-7">CCE-27082-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the SSH idle timeout occurs precisely when the <code>ClientAliveInterval</code> is set, >edit <code>/etc/ssh/sshd_config</code> as follows: ><pre>ClientAliveCountMax 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This ensures a user login will be terminated as soon as the <code>ClientAliveInterval</code> >is reached.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" id="rule-detail-idm46336715724848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for Rhosts RSA Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa mediumCCE-80373-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for Rhosts RSA Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80373-4">CCE-80373-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86863r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can allow authentication through the obsolete rsh >command through the use of the authenticating user's SSH keys. This should be disabled. ><br><br> >To ensure this behavior is disabled, add or correct the >following line in <code>/etc/ssh/sshd_config</code>: ><pre>RhostsRSAAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional >assurance that remove login via SSH will require a password, even >in the event of misconfiguration elsewhere.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > As of <code>openssh-server</code> version <code>7.4</code> and above, >the <code>RhostsRSAAuthentication</code> option has been deprecated, and the line ><pre>RhostsRSAAuthentication no</pre> in <code>/etc/ssh/sshd_config</code> is not >necessary.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idm46336715755776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-27314-4 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27314-4">CCE-27314-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040170</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86849r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001388</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable the warning banner and ensure it is consistent >across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: ><pre>Banner /etc/issue</pre> >Another section contains information on how to create an >appropriate system-wide warning banner.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The warning message reinforces policy awareness during the logon process and >facilitates possible legal action against attackers. Alternatively, systems >whose ownership should not be obvious should ensure usage of a banner that does >not provide easy attribution.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" id="rule-detail-idm46336715707360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Use Only FIPS 140-2 Validated MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs mediumCCE-27455-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only FIPS 140-2 Validated MACs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_macs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27455-5">CCE-27455-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040400</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86877r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the MACs to those hash algorithms which are FIPS-approved. >The following line in <code>/etc/ssh/sshd_config</code> demonstrates use >of FIPS-approved MACs: ><br><br> ><pre>MACs hmac-sha2-512,hmac-sha2-256</pre> ><br><br> >Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: ><br>- hmac-sha1 ><br>- hmac-sha2-256 ><br>- hmac-sha2-512 ><br>- hmac-sha1-etm@openssh.com ><br>- hmac-sha2-256-etm@openssh.com ><br>- hmac-sha2-512-etm@openssh.com ><br><br> >Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for >RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>DoD Information Systems are required to use FIPS-approved cryptographic hash >functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-detail-idm46336715702240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-27363-1 </div><div class="panel-heading"><h3 class="panel-title">Do Not Allow SSH Environment Options</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27363-1">CCE-27363-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86581r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure users are not able to override environment >options to the SSH daemon, add or correct the following line >in <code>/etc/ssh/sshd_config</code>: ><pre>PermitUserEnvironment no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH environment options potentially allow users to bypass >access restriction in some configurations.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idm46336715718368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80221-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80221-5">CCE-80221-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86885r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary >authentication mechanisms like Kerberos. To disable Kerberos authentication, add >or correct the following line in the <code>/etc/ssh/sshd_config</code> file: ><pre>KerberosAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos >is enabled through SSH, the SSH daemon provides a means of access to the >system's Kerberos implementation. Vulnerabilities in the system's Kerberos >implementations may be subject to exploitation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-detail-idm46336715692480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-27320-1 </div><div class="panel-heading"><h3 class="panel-title">Allow Only SSH Protocol 2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27320-1">CCE-27320-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040390</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86875r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000197</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000074-GPOS-00042</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Only SSH protocol version 2 connections should be >permitted. The default setting in ><code>/etc/ssh/sshd_config</code> is correct, and can be >verified by ensuring that the following >line appears: ><pre>Protocol 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH protocol version 1 is an insecure implementation of the SSH protocol and >has many well-known vulnerability exploits. Exploits of the SSH daemon could provide >immediate root access to the system.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > As of <code>openssh-server</code> version <code>7.4</code> and above, the only protocol >supported is version 2, and line <pre>Protocol 2</pre> in ><code>/etc/ssh/sshd_config</code> is not necessary.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-detail-idm46336715684656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-27377-1 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for .rhosts Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27377-1">CCE-27377-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86867r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.6</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can emulate the behavior of the obsolete rsh >command in allowing users to enable insecure access to their >accounts via <code>.rhosts</code> files. ><br><br> >To ensure this behavior is disabled, add or correct the >following line in <code>/etc/ssh/sshd_config</code>: ><pre>IgnoreRhosts yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH trust relationships mean a compromise on one host >can allow an attacker to move trivially to other hosts.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idm46336715679904"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout unknownCCE-27433-2 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27433-2">CCE-27433-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH allows administrators to set an idle timeout >interval. >After this interval has passed, the idle user will be >automatically logged out. ><br><br> >To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as >follows: ><pre>ClientAliveInterval <b><abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">600</abbr></b></pre> >The timeout <b>interval</b> is given in seconds. To have a timeout >of 15 minutes, set <b>interval</b> to 900. ><br><br> >If a shorter timeout has already been set for the login >shell, that value will preempt any SSH >setting made here. Keep in mind that some processes may stop SSH >from correctly detecting that the user is idle.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Terminating an idle ssh session within a short time period reduces the window of >opportunity for unauthorized personnel to take control of a management session >enabled on the console or console port that has been let unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" id="rule-detail-idm46336715659504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Encrypted X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding highCCE-80226-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Encrypted X11 Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80226-4">CCE-80226-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86927r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-2(1)(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, remote X11 connections are not encrypted when initiated >by users. SSH has the capability to encrypt remote X11 connections when SSH's ><code>X11Forwarding</code> option is enabled. ><br><br> >To enable X11 Forwarding, add or correct the >following line in <code>/etc/ssh/sshd_config</code>: ><pre>X11Forwarding yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Open X displays allow an attacker to capture keystrokes and to execute commands >remotely.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" id="rule-detail-idm46336715672736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Use Only FIPS 140-2 Validated Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers mediumCCE-27295-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only FIPS 140-2 Validated Ciphers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27295-5">CCE-27295-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86845r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000033-GPOS-00014</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120-GPOS-00061</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000125-GPOS-00065</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000393-GPOS-00173</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the ciphers to those algorithms which are FIPS-approved. >Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. >The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of >FIPS 140-2 validated ciphers: ><pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre> ><br><br> >The following ciphers are FIPS 140-2 certified on RHEL 7: ><br>- aes128-ctr ><br>- aes192-ctr ><br>- aes256-ctr ><br>- aes128-cbc ><br>- aes192-cbc ><br>- aes256-cbc ><br>- 3des-cbc ><br>- rijndael-cbc@lysator.liu.se ><br><br> >Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for >RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore >cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. ><br> >Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to >cryptographic modules. ><br> >FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules >utilize authentication that meets industry and government requirements. For government systems, this allows >Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idm46336715644928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-27413-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27413-4">CCE-27413-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86583r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.7</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH's cryptographic host-based authentication is >more secure than <code>.rhosts</code> authentication. However, it is >not recommended that hosts unilaterally trust one another, even >within an organization. ><br><br> >To disable host-based authentication, add or correct the >following line in <code>/etc/ssh/sshd_config</code>: ><pre>HostbasedAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH trust relationships mean a compromise on one host >can allow an attacker to move trivially to other hosts.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" id="rule-detail-idm46336715651120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Privilege Separationxccdf_org.ssgproject.content_rule_sshd_use_priv_separation mediumCCE-80223-1 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Privilege Separation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_priv_separation</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80223-1">CCE-80223-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86889r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will create an unprivileged child process that >has the privilege of the authenticated user. To enable privilege separation in >SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: ><pre>UsePrivilegeSeparation sandbox</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH daemon privilege separation causes the SSH process to drop root privileges >when not needed which would decrease the impact of software vulnerabilities in >the unprivileged section.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-detail-idm46336715623520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-80225-6 </div><div class="panel-heading"><h3 class="panel-title">Print Last Log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_print_last_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80225-6">CCE-80225-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040360</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86869r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will display the date and time of the last >successful account logon. To enable LastLog in >SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: ><pre>PrintLastLog yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Providing users feedback on when account accesses last occurred facilitates user >recognition and reporting of unauthorized account use.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idm46336715633328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80220-7 </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80220-7">CCE-80220-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86883r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary >authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or >correct the following line in the <code>/etc/ssh/sshd_config</code> file: ><pre>GSSAPIAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>GSSAPI authentication is used to provide additional authentication mechanisms to >applications. Allowing GSSAPI authentication through SSH exposes the system's >GSSAPI to remote hosts, increasing the attack surface of the system.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_compression" id="rule-detail-idm46336715610304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-80224-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Compression Or Set Compression to delayed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_compression</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80224-9">CCE-80224-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86891r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Compression is useful for slow network connections over long >distances but can cause performance issues on local LANs. If use of compression >is required, it should be enabled only after a user has authenticated; otherwise >, it should be disabled. To disable compression or delay compression until after >a user has successfully authenticated, add or correct the following line in the ><code>/etc/ssh/sshd_config</code> file: ><pre>Compression no</pre> or <pre>Compression delayed</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If compression is allowed in an SSH connection prior to authentication, >vulnerabilities in the compression software could result in compromise of the >system from an unauthenticated connection, potentially wih root privileges.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm46336715607360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-27445-6 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27445-6">CCE-27445-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040370</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86871r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The root user should never be allowed to login to a >system directly over a network. >To disable root login via SSH, add or correct the following line >in <code>/etc/ssh/sshd_config</code>: ><pre>PermitRootLogin no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Even though the communications channel may be encrypted, an additional layer of >security is gained by extending the policy of not logging directly on as root. >In addition, logging in with a user-specific account provides individual >accountability of actions performed on the system and also helps to minimize >direct attack attempts on root's password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-detail-idm46336715591888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-80215-7 </div><div class="panel-heading"><h3 class="panel-title">Install the OpenSSH Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_openssh-server_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80215-7">CCE-80215-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86857r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002422</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00187</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>openssh-server</code> package should be installed. > >The <code>openssh-server</code> package can be installed with the following command: ><pre>$ sudo yum install openssh-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without protection of the transmitted information, confidentiality, and >integrity may be compromised because unprotected communications can be >intercepted and either read or altered.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_sshd_enabled" id="rule-detail-idm46336715581728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-80216-5 </div><div class="panel-heading"><h3 class="panel-title">Enable the OpenSSH Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_sshd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80216-5">CCE-80216-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86859r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002422</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00187</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SSH server service, sshd, is commonly needed. > >The <code>sshd</code> service can be enabled with the following command: ><pre>$ sudo systemctl enable sshd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without protection of the transmitted information, confidentiality, and >integrity may be compromised because unprotected communications can be >intercepted and either read or altered. ><br><br> >This checklist item applies to both internal and external networks and all types >of information system components from which information can be transmitted (e.g., servers, >mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths >outside the physical protection of a controlled boundary are exposed to the possibility >of interception and modification.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. ></message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734713312">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734713312"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> >SYSTEMCTL_EXEC='/usr/bin/systemctl' >"$SYSTEMCTL_EXEC" start 'sshd.service' >"$SYSTEMCTL_EXEC" enable 'sshd.service' ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734716464">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734716464"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service sshd > service: > name: "{{item}}" > enabled: "yes" > state: "started" > with_items: > - sshd > tags: > - service_sshd_enabled > - medium_severity > - enable_strategy > - low_complexity > - low_disruption > - CCE-80216-5 > - NIST-800-53-SC-8 > - NIST-800-171-3.1.13 > - NIST-800-171-3.5.4 > - NIST-800-171-3.13.8 > - DISA-STIG-RHEL-07-040310 ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" id="rule-detail-idm46336715575168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-27311-0 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Public *.pub Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27311-0">CCE-27311-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040410</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86879r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> To properly set the permissions of <code>/etc/ssh/*.pub</code>, run the command: <pre>$ sudo chmod 0644 /etc/ssh/*.pub</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a public host key file is modified by an unauthorized user, the SSH service >may be compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">chmod: cannot access '/etc/ssh/*.pub': No such file or directory ></message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734697296">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734697296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> >chmod 0644 /etc/ssh/*.pub ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734685104">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734685104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure permission 0644 on /etc/ssh/*.pub > file: > path: "{{ item }}" > mode: 0644 > with_items: > - /etc/ssh/*.pub > tags: > - file_permissions_sshd_pub_key > - medium_severity > - configure_strategy > - low_complexity > - low_disruption > - CCE-27311-0 > - NIST-800-53-AC-6 > - NIST-800-171-3.1.13 > - NIST-800-171-3.13.10 > - DISA-STIG-RHEL-07-040410 ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Puppet snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734699776">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734699776"><pre><code>include ssh_public_key_perms > >class ssh_public_key_perms { > exec { 'sshd_pub_key': > command => "chmod 0644 /etc/ssh/*.pub", > path => '/bin:/usr/bin' > } >} ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm46336715567280"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-27485-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27485-2">CCE-27485-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040420</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86881r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> To properly set the permissions of <code>/etc/ssh/*_key</code>, run the command: <pre>$ sudo chmod 0640 /etc/ssh/*_key</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If an unauthorized user obtains the private SSH host key file, the host could be >impersonated.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">chmod: cannot access '/etc/ssh/*_key': No such file or directory ></message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734675552">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734675552"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> >chmod 0600 /etc/ssh/*_key ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734674064">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734674064"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure permission 0600 on /etc/ssh/*_key > file: > path: "{{ item }}" > mode: 0600 > with_items: > - /etc/ssh/*_key > tags: > - file_permissions_sshd_private_key > - medium_severity > - configure_strategy > - low_complexity > - low_disruption > - CCE-27485-2 > - NIST-800-53-AC-6 > - NIST-800-171-3.1.13 > - NIST-800-171-3.13.10 > - DISA-STIG-RHEL-07-040420 ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Puppet snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734668400">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734668400"><pre><code>include ssh_private_key_perms > >class ssh_private_key_perms { > exec { 'sshd_priv_key': > command => "chmod 0640 /etc/ssh/*_key", > path => '/bin:/usr/bin' > } >} ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm46336715556560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost unknownCCE-27343-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27343-3">CCE-27343-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-031000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86833r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001348</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000136</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure rsyslog to send logs to a remote log server, >open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, >which describes the multiple directives necessary to activate remote >logging. >Along with these other directives, the system can be configured >to forward its logs to a particular log server by >adding or correcting one of the following lines, >substituting <code><i>loghost.example.com</i></code> appropriately. >The choice of protocol depends on the environment of the system; >although TCP and RELP provide more reliable message delivery, >they may not be supported in all environments. ><br> >To use UDP for log message delivery: ><pre>*.* @<i>loghost.example.com</i></pre> ><br> >To use TCP for log message delivery: ><pre>*.* @@<i>loghost.example.com</i></pre> ><br> >To use RELP for log message delivery: ><pre>*.* :omrelp:<i>loghost.example.com</i></pre> ><br> >There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A log server (loghost) receives syslog messages from one or more >systems. This data can be used as an additional log source in the event a >system is compromised and its local logs are suspect. Forwarding log messages >to a remote loghost also provides system administrators with a centralized >place to view the status of multiple hosts within the enterprise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-detail-idm46336715553072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-80380-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure cron Is Logging To Rsyslog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_cron_logging</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80380-9">CCE-80380-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86675r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Cron logging must be implemented to spot intrusions or trace >cron job status. If <code>cron</code> is not logging to <code>rsyslog</code>, it >can be implemented by adding the following to the <i>RULES</i> section of ><code>/etc/rsyslog.conf</code>: ><pre>cron.* /var/log/cron</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Cron logging can be used to trace the successful or unsuccessful execution >of cron jobs. It can also be used to spot intrusions into the use of the cron >facility by unauthorized and malicious users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-detail-idm46336715526848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten unknownCCE-80192-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_nolisten</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80192-8">CCE-80192-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-031010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86835r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> daemon should not accept remote messages >unless the system acts as a log server. >To ensure that it is not listening on the network, ensure the following lines are ><i>not</i> found in <code>/etc/rsyslog.conf</code>: ><pre>$ModLoad imtcp >$InputTCPServerRun <i>port</i> >$ModLoad imudp >$UDPServerRun <i>port</i> >$ModLoad imrelp >$InputRELPServerRun <i>port</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any process which receives messages from the network incurs some risk >of receiving malicious messages. This risk can be eliminated for >rsyslog by configuring it not to listen on the network.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" id="rule-detail-idm46336715510240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-27349-0 </div><div class="panel-heading"><h3 class="panel-title">Set Default firewalld Zone for Incoming Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_firewalld_default_zone</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27349-0">CCE-27349-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040810</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86939r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the default zone to <code>drop</code> for >the built-in default zone which processes incoming IPv4 and IPv6 packets, >modify the following line in ><code>/etc/firewalld/firewalld.conf</code> to be: ><pre>DefaultZone=drop</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In <code>firewalld</code> the default zone is applied only after all >the applicable rules in the table are examined for a match. Setting the >default zone to <code>drop</code> implements proper design for a firewall, i.e. >any packets which are not explicitly permitted should not be >accepted.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-detail-idm46336715506272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-80447-6 </div><div class="panel-heading"><h3 class="panel-title">Configure the Firewalld Ports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_ports</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80447-6">CCE-80447-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86843r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002314</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7.1(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096-GPOS-00050</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000297-GPOS-00115</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>firewalld</code> ports to allow approved >services to have access to the system. To configure <code>firewalld</code> >to open ports, run the following command: ><pre>$ sudo firewall-cmd --permanent --add-port=<i>port_number</i>/tcp</pre> >or ><pre>$ sudo firewall-cmd --permanent --add-port=<i>service_name</i></pre> >Run the command list above for each of the ports listed below: > >To configure <code>firewalld</code> to allow access, run the following command(s): > > ><code>firewall-cmd --permanent --add-service=ssh</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In order to prevent unauthorized connection of devices, unauthorized transfer of information, >or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or >restrict unused or unnecessary physical and logical ports/protocols on information systems. ><br><br> >Operating systems are capable of providing a wide variety of functions and services. Some of the functions >and services provided by default may not be necessary to support essential organizational operations. >Additionally, it is sometimes convenient to provide multiple services from a single component >(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. ><br><br> >To support the requirements and principles of least functionality, the operating system must support the >organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, >and/or services to only those required, authorized, and approved to conduct official business or to address >authorized quality of life issues.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" id="rule-detail-idm46336715482528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure firewalld To Rate Limit Connectionsxccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting mediumCCE-80542-4 </div><div class="panel-heading"><h3 class="panel-title">Configure firewalld To Rate Limit Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80542-4">CCE-80542-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002385</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000420-GPOS-00186</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040510</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86895r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Create a direct firewall rule to protect against DoS attacks with the following >command: ><pre>$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>DoS is a condition when a resource is not available for legitimate users. When >this occurs, the organization either cannot accomplish its mission or must >operate at degraded capacity. ><br><br> >This requirement addresses the configuration of >the operating system to mitigate the impact of DoS attacks that have occurred or >are ongoing on system availability. For each system, known and potential DoS >attacks must be identified and solutions for each type implemented. A variety of >technologies exist to limit or, in some cases, eliminate the effects of DoS >attacks (e.g., limiting processes or establishing memory partitions). Employing >increased capacity and bandwidth, combined with service redundancy, may reduce >the susceptibility to some DoS attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idm46336715500448"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-27361-5 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27361-5">CCE-27361-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>firewalld</code> service can be enabled with the following command: <pre>$ sudo systemctl enable firewalld.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Access control methods provide the ability to enhance system security posture >by restricting services and known good IP addresses and address ranges. This >prevents connections from unknown hosts and protocols.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. ></message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734271600">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734271600"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> >SYSTEMCTL_EXEC='/usr/bin/systemctl' >"$SYSTEMCTL_EXEC" start 'firewalld.service' >"$SYSTEMCTL_EXEC" enable 'firewalld.service' ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734237536">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734237536"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld > service: > name: "{{item}}" > enabled: "yes" > state: "started" > with_items: > - firewalld > tags: > - service_firewalld_enabled > - medium_severity > - enable_strategy > - low_complexity > - low_disruption > - CCE-27361-5 > - NIST-800-53-CM-6(b) > - NIST-800-171-3.1.3 > - NIST-800-171-3.4.7 > - DISA-STIG-RHEL-07-040520 ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-detail-idm46336715478304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-80171-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Any Configured IPSec Tunnel Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80171-2">CCE-80171-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040820</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86941r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000336</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Libreswan provides an implementation of IPsec >and IKE, which permits the creation of secure tunnels over >untrusted networks. As such, IPsec can be used to circumvent certain >network requirements such as filtering. Verify that if any IPsec connection >(<code>conn</code>) configured in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.d</code> >exists is an approved organizational connection.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>IP tunneling mechanisms can be used to bypass network filtering.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idm46336715461456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-80179-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80179-5">CCE-80179-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040830</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86943r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv6.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, which can >be used to bypass network security measures. This requirement applies only to the >forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and >the system is functioning as a router. ><br><br> >Accepting source-routed packets in the IPv6 protocol has few legitimate >uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idm46336715419728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80162-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80162-1">CCE-80162-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86909r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, which can >be used to bypass network security measures. ><br> >Accepting source-routed packets in the IPv4 protocol has few legitimate >uses. It should be disabled unless it is absolutely required, such as when >IPv4 forwarding is enabled and the system is legitimately functioning as >a router.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-detail-idm46336715414784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80165-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80165-4">CCE-80165-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86911r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Responding to broadcast (ICMP) echoes facilitates network mapping >and provides a vector for amplification attacks. ><br> >Ignoring ICMP echo requests (pings) sent to broadcast or multicast >addresses makes the system slightly more difficult to enumerate on the network.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idm46336715394880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting ICMP Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80163-9 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80163-9">CCE-80163-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86913r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct >route exists for a particular destination. These messages modify the host's route table >and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle >attack. ><br> >This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless >absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idm46336715405424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-27434-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27434-0">CCE-27434-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86907r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers >forward the packet along a different path than configured on the router, which can >be used to bypass network security measures. This requirement applies only to the >forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and >the system is functioning as a router. ><br><br> >Accepting source-routed packets in the IPv4 protocol has few legitimate >uses. It should be disabled unless it is absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idm46336715381136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80158-9 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80158-9">CCE-80158-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040641</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87827r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001503</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct >route exists for a particular destination. These messages modify the host's route table >and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle >attack. ><br> >This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless >absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idm46336715354048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for IP Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-80157-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80157-1">CCE-80157-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040740</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86933r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.ip_forward = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Routing protocol daemons are typically used on routers to exchange >network topology information with other routers. If this capability is used when >not required, system network information may be unnecessarily transmitted across >the network.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idm46336715335328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80156-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80156-3">CCE-80156-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86917r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages contain information >from the system's route table possibly revealing portions of the network topology. ><br> >The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idm46336715342624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80156-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80156-3">CCE-80156-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86915r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more >direct route exists for a particular destination. These messages contain information >from the system's route table possibly revealing portions of the network topology. ><br> >The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-detail-idm46336715329360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-26828-4 </div><div class="panel-heading"><h3 class="panel-title">Disable DCCP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26828-4">CCE-26828-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.5.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020101</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92517r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Datagram Congestion Control Protocol (DCCP) is a >relatively new transport layer protocol, designed to support >streaming media and telephony. > >To configure the system to prevent the <code>dccp</code> >kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: ><pre>install dccp /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling DCCP protects >the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/dccp.conf: No such file or directory ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-detail-idm46336715300032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-27358-1 </div><div class="panel-heading"><h3 class="panel-title">Deactivate Wireless Network Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27358-1">CCE-27358-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000424-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87829r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Deactivating wireless network interfaces should prevent >normal usage of the wireless capability. ><br><br> >Configure the system to disable all wireless network interfaces with the >following command: ><pre>$ sudo nmcli radio wifi off</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The use of wireless networking can introduce many different attack vectors into >the organization's network. Common attack vectors such as malicious association >and ad hoc networks will allow an attacker to spoof a wireless access point >(AP), allowing validated systems to connect to the malicious AP and enabling the >attacker to monitor and record network traffic. These malicious APs can also >serve to create a man-in-the-middle attack or be used to create a denial of >service to valid network resources.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-detail-idm46336715296064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-80174-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure System is Not Acting as a Network Sniffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_sniffer_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80174-6">CCE-80174-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86919r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2).1(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system should not be acting as a network sniffer, which can >capture all traffic on the network to which it is connected. Run the following >to determine if any interface is running in promiscuous mode: ><pre>$ ip link | grep PROMISC</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Network interfaces in promiscuous mode allow for the capture of all network traffic >visible to the system. If unauthorized individuals can access these applications, it >may allow them to collect information such as logon IDs, passwords, and key exchanges >between systems. ><br><br> >If the system is being used to perform a network troubleshooting function, the use of these >tools must be documented with the Information Systems Security Manager (ISSM) and restricted >to only authorized personnel.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_network_configure_name_resolution" id="rule-detail-idm46336715287104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution unknownCCE-80438-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Multiple DNS Servers in /etc/resolv.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_configure_name_resolution</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80438-5">CCE-80438-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86905r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-22</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Multiple Domain Name System (DNS) Servers should be configured >in <code>/etc/resolv.conf</code>. This provides redundant name resolution services >in the event that a domain server crashes. To configure the system to contain >as least <code>2</code> DNS servers, add a corresponding <code>nameserver ><i>ip_address</i></code> entry in <code>/etc/resolv.conf</code> for each DNS >server where <i>ip_address</i> is the IP address of a valid DNS server. >For example: ><pre>search example.com >nameserver 192.168.0.1 >nameserver 192.168.0.2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>To provide availability for name resolution services, multiple redundant >name servers are mandated. A failure in name resolution could lead to the >failure of security functions requiring name resolution, which may include >time synchronization, centralized authentication, and remote system logging.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_password" id="rule-detail-idm46336715283136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-27309-4 </div><div class="panel-heading"><h3 class="panel-title">Set Boot Loader Password in grub2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27309-4">CCE-27309-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010480</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86585r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password >protection enabled to protect boot-time settings. ><br><br> >To do so, select a superuser account name and password and and modify the ><code>/etc/grub.d/01_users</code> configuration file with the new account name. ><br><br> >Since plaintext passwords are a security risk, generate a hash for the pasword >by running the following command: ><pre>$ grub2-setpassword</pre> >When prompted, enter the password that was selected. ><br><br> >NOTE: It is recommended not to use common administrator account names like root, >admin, or administrator for the grub2 superuser account. ><br><br> >Change the superuser to a different username (The default is 'root'). ><pre>$ sed -i s/root/bootuser/g /etc/grub.d/01_users</pre> ><br><br> >To meet FISMA Moderate, the bootloader superuser account and password MUST >differ from the root account and password. >Once the superuser account and password have been added, >update the ><code>grub.cfg</code> file by running: ><pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre> >NOTE: Do NOT manually add the superuser account and password to the ><code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Password protection on the boot loader configuration ensures >users with physical access cannot trivially alter >important bootloader settings. These include which kernel to use, >and whether to enter single-user mode. For more information on how to configure >the grub2 superuser account and password, please refer to ><ul><li><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html</a></li>. ></ul></p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation >must be automated as a component of machine provisioning, or followed manually as outlined above.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-detail-idm46336715274224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password mediumCCE-80354-4 </div><div class="panel-heading"><h3 class="panel-title">Set the UEFI Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_uefi_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80354-4">CCE-80354-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010490</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86587r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password >protection enabled to protect boot-time settings. ><br><br> >To do so, select a superuser account name and password and and modify the ><code>/etc/grub.d/01_users</code> configuration file with the new account name. ><br><br> >Since plaintext passwords are a security risk, generate a hash for the pasword >by running the following command: ><pre>$ grub2-setpassword</pre> >When prompted, enter the password that was selected. ><br><br> >NOTE: It is recommended not to use common administrator account names like root, >admin, or administrator for the grub2 superuser account. ><br><br> >Change the superuser to a different username (The default is 'root'). ><pre>$ sed -i s/root/bootuser/g /etc/grub.d/01_users</pre> ><br><br> >To meet FISMA Moderate, the bootloader superuser account and password MUST >differ from the root account and password. >Once the superuser account and password have been added, >update the ><code>grub.cfg</code> file by running: ><pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre> >NOTE: Do NOT manually add the superuser account and password to the ><code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Password protection on the boot loader configuration ensures >users with physical access cannot trivially alter >important bootloader settings. These include which kernel to use, >and whether to enter single-user mode. For more information on how to configure >the grub2 superuser account and password, please refer to ><ul><li><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html</a></li>. ></ul></p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> > To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation >must be automated as a component of machine provisioning, or followed manually as outlined above.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" id="rule-detail-idm46336715270288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Boat Loader Is Not Installed On Removeable Mediaxccdf_org.ssgproject.content_rule_grub2_no_removeable_media mediumCCE-80517-6 </div><div class="panel-heading"><h3 class="panel-title">Boat Loader Is Not Installed On Removeable Media</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_no_removeable_media</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80517-6">CCE-80517-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86699r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system must not allow removable media to be used as the boot loader. >Remove alternate methods of booting the system from removable media. ><code>usb0</code>, <code>cd</code>, <code>fd0</code>, etc. are some examples of removeable >media which should not exist in the line: ><pre>set root='hd0,msdos1'</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Malicious users with removable boot media can gain access to a system >configured to use removable media as the boot loader.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm46336714674640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype highCCE-27279-9 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27279-9">CCE-27279-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020220</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86615r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000445-GPOS-00199</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux <code>targeted</code> policy is appropriate for >general-purpose desktops and servers, as well as systems in many other roles. >To configure the system to use this policy, add or correct the following line >in <code>/etc/selinux/config</code>: ><pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre> >Other policies, such as <code>mls</code>, provide additional security labeling >and greater confinement but are not compatible with many general-purpose >use cases.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux policy to <code>targeted</code> or a more specialized policy >ensures the system will confine processes that are likely to be >targeted for exploitation, such as network or system services. ><br><br> >Note: During the development or debugging of SELinux modules, it is common to >temporarily place non-production systems in <code>permissive</code> mode. In such >temporary cases, SELinux policies should be developed, and once work >is completed, the system should be reconfigured to ><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" id="rule-detail-idm46336714664784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled mediumCCE-27326-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure No Device Files are Unlabeled by SELinux</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27326-8">CCE-27326-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020900</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86663r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000022</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000032</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Device files, which are used for communication with important >system resources, should be labeled with proper SELinux types. If any device >files do not carry the SELinux type <code>device_t</code>, report the bug so >that policy can be corrected. Supply information about what the device is >and what programs use it. ><br><br> >To check for unlabeled device files, run the following command: ><pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre> >It should produce no output in a well-configured system.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a device file carries the SELinux type <code>device_t</code>, then SELinux >cannot properly restrict access to the device file.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_user_login_roles" id="rule-detail-idm46336714660816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Map System Users To The Appropriate SELinux Rolexccdf_org.ssgproject.content_rule_selinux_user_login_roles mediumCCE-80543-2 </div><div class="panel-heading"><h3 class="panel-title">Map System Users To The Appropriate SELinux Role</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_user_login_roles</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80543-2">CCE-80543-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002235</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000324-GPOS-00125</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86595r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to prevent non-privileged users from executing >privileged functions to include disabling, circumventing, or altering >implemented security safeguards/countermeasures. All administrators must be >mapped to the <code>sysadm_u</code> or <code>staff_u</code> users with the >appropriate domains (<code>sysadm_t</code> and <code>staff_t</code>). ><pre>$ sudo semanage login -m -s sysadm_u <i>USER</i></pre> or ><pre>$ sudo semanage login -m -s staff_u <i>USER</i></pre> ><br><br> >All authorized non-administrative >users must be mapped to the <code>user_u</code> role or the appropriate domain >(user_t). ><pre>$ sudo semanage login -m -s user_u <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing non-privileged users from executing privileged functions mitigates >the risk that unauthorized individuals or processes may gain unnecessary access >to information or privileges. ><br><br> >Privileged functions include, for example, >establishing accounts, performing system integrity checks, or administering >cryptographic key management activities. Non-privileged users are individuals >who do not possess appropriate authorizations. Circumventing intrusion detection >and prevention mechanisms or malicious code protection mechanisms are examples >of privileged functions that require protection from non-privileged users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm46336714658000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-27334-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27334-2">CCE-27334-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020210</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86613r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000445-GPOS-00199</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at >system boot time. In the file <code>/etc/selinux/config</code>, add or correct the >following line to configure the system to boot into enforcing mode: ><pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux state to enforcing ensures SELinux is able to confine >potentially compromised processes to the security policy, which is designed to >prevent them from causing damage to the system or further elevating their >privileges.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-detail-idm46336714645440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-27124-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27124-7">CCE-27124-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010210</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86545r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In <code>/etc/login.defs</code>, add or correct the following line to ensure >the system will use SHA-512 as the hashing algorithm: ><pre>ENCRYPT_METHOD SHA512</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. >If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords >that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. ><br><br> >Using a stronger hashing algorithm makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-detail-idm46336714641440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-27053-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/libuser.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27053-8">CCE-27053-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010220</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86547r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In <code>/etc/libuser.conf</code>, add or correct the following line in its ><code>[defaults]</code> section to ensure the system will use the SHA-512 >algorithm for password hashing: ><pre>crypt_style = sha512</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting >passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily >compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they >are kepy in plain text. ><br><br> >This setting ensures user and group account administration utilities are configured to store only >encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option >ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-detail-idm46336714637488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-27104-9 </div><div class="panel-heading"><h3 class="panel-title">Set PAM's Password Hashing Algorithm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27104-9">CCE-27104-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86543r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The PAM system service can be configured to only store encrypted representations of passwords. >In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of the file controls >which PAM modules execute during a password change. Set the <code>pam_unix.so</code> >module in the <code>password</code> section to include the argument <code>sha512</code>, as shown below: ><br> ><pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre> ><br> >This will help ensure when local users change their passwords, hashes for the new >passwords will be generated using the SHA-512 algorithm. This is the default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting >passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily >compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they >are kepy in plain text. ><br><br> >This setting ensures user and group account administration utilities are configured to store only >encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option >ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm46336714633536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80353-6 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80353-6">CCE-80353-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86569r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out the <code>root</code> account after a number of incorrect login >attempts using <code>pam_faillock.so</code>, modify the content of both ><code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: ><pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: ><pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password >guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm46336714628224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-26884-7 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26884-7">CCE-26884-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login >attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>, >modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts >prevents direct password guessing attacks. Ensuring that an administrator is >involved in unlocking locked accounts draws appropriate attention to such >situations.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idm46336714620080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-26923-3 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26923-3">CCE-26923-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010270</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86557r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000200</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000077-GPOS-00045</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Do not allow users to reuse recent passwords. This can be >accomplished by using the <code>remember</code> option for the <code>pam_unix</code> >or <code>pam_pwhistory</code> PAM modules. ><br><br> >In the file <code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></code> >to the line which refers to the <code>pam_unix.so</code> or <code>pam_pwhistory.so</code>module, as shown below: ><ul><li>for the <code>pam_unix.so</code> case: ><pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> ></li><li>for the <code>pam_pwhistory.so</code> case: ><pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> ></li></ul> >The DoD STIG requirement is 5 passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm46336714609248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-27297-1 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27297-1">CCE-27297-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive >configures the system to lock out an accounts after a number of incorrect login >attempts within a specified time period. Modify the content of both ><code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By limiting the number of failed logon attempts the risk of unauthorized system >access via user password guessing, otherwise known as brute-forcing, is reduced. >Limits are imposed by locking the account.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm46336714603408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-27350-8 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27350-8">CCE-27350-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login >attempts using <code>pam_faillock.so</code>, modify the content of both ><code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: ><br><br> ><ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: ><pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: ><pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts >prevents direct password guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm46336714589136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-27293-0 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27293-0">CCE-27293-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010280</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86559r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000205</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000078-GPOS-00046</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minlen</code> parameter controls requirements for >minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">15</abbr></code> >after pam_pwquality to set minimum password length requirements.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The shorter the password, the lower the number of possible combinations >that need to be tested before the password is compromised. ><br> >Password complexity, or strength, is a measure of the effectiveness of a >password in resisting attempts at guessing and brute-force attacks. >Password length is one factor of several that helps to determine strength >and how long it takes to crack a password. Use of more characters in a password >helps to exponentially increase the time and/or resources required to >compromose the password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-detail-idm46336714594064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password to Maximum of Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-27512-3 </div><div class="panel-heading"><h3 class="panel-title">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27512-3">CCE-27512-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010190</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86541r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for >consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords >which contain more than that number of consecutive characters from the same character class. Modify the ><code>maxclassrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> >to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to comrpomise the password. >Password complexity, or strength, is a measure of the effectiveness of a password in resisting >attempts at guessing and brute-force attacks. ><br> >Password complexity is one factor of several that determines how long it takes to crack a password. The >more complex a password, the greater the number of possible combinations that need to be tested before the >password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-detail-idm46336714577552"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-27333-4 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Consecutive Repeating Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27333-4">CCE-27333-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010180</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86539r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for >consecutive repeating characters. When set to a positive number, it will reject passwords >which contain more than that number of consecutive characters. Modify the <code>maxrepeat</code> setting >in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> to prevent a >run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. >Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at >guessing and brute-force attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes to crack a password. The more >complex the password, the greater the number of possible combinations that need to be tested before the >password is compromised. ><br><br> >Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idm46336714564160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-27214-6 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27214-6">CCE-27214-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010140</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86531r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000194</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">194</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000071-GPOS-00039</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>dcredit</code> parameter controls requirements for >usage of digits in a password. When set to a negative number, any password will be required to >contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each digit. Modify the <code>dcredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possble combinations that need to be tested before the password is compromised. >Requiring digits makes password guessing attacks more difficult by ensuring a larger >search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" id="rule-detail-idm46336714544256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-27115-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Categories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27115-5">CCE-27115-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010170</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86537r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minclass</code> parameter controls >requirements for usage of different character classes, or types, of character >that must exist in a password before it is considered valid. For example, >setting this value to three (3) requires that any password must have characters >from at least three different categories in order to be approved. The default >value is zero (0), meaning there are no required classes. There are four >categories available: ><pre> >* Upper-case characters >* Lower-case characters >* Digits >* Special characters (for example, punctuation) ></pre> >Modify the <code>minclass</code> setting in <code>/etc/security/pwquality.conf</code> entry to require <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minclass">4</abbr> >differing categories of characters when changing passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. >Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts >at guessing and brute-force attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes to crack a password. The >more complex the password, the greater the number of possible combinations that need to be tested before >the password is compromised. ><br><br> >Requiring a minimum number of character categories makes password guessing attacks more difficult >by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-detail-idm46336714548704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-26631-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_difok</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26631-2">CCE-26631-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010160</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86535r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>difok</code> parameter sets the number of characters >in a password that must not be present in and old password during a password change. ><br><br> >Modify the <code>difok</code> setting in <code>/etc/security/pwquality.conf</code> >to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_difok">8</abbr> to require differing characters >when changing passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources >required to compromise the password. Password complexity, or strength, >is a measure of the effectiveness of a password in resisting attempts >at guessing and bruteâforce attacks. ><br><br> >Password complexity is one factor of several that determines how long >it takes to crack a password. The more complex the password, the >greater the number of possible combinations that need to be tested >before the password is compromised. ><br><br> >Requiring a minimum number of different characters during password changes ensures that >newly changed passwords should not resemble previously compromised ones. >Note that passwords which are changed on compromised systems will still be compromised, however.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idm46336714522304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-27360-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27360-7">CCE-27360-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010150</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86533r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001619</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000266-GPOS-00101</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for >usage of special (or "other") characters in a password. When set to a negative number, any password will be >required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 >additional length credit for each special character. Modify the <code>ocredit</code> setting in ><code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possble combinations that need to be tested before the password is compromised. >Requiring a minimum number of special characters makes password guessing attacks >more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idm46336714527728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-27345-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27345-8">CCE-27345-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010130</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86529r4_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000193</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000070-GPOS-00038</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>lcredit</code> parameter controls requirements for >usage of lowercase letters in a password. When set to a negative number, any password will be required to >contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each lowercase character. Modify the <code>lcredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required >to compromise the password. Password complexity, or strength, is a measure of >the effectiveness of a password in resisting attempts at guessing and brute-force >attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes >to crack a password. The more complex the password, the greater the number of >possble combinations that need to be tested before the password is compromised. >Requiring a minimum number of lowercase characters makes password guessing attacks >more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idm46336714500096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-27200-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27200-5">CCE-27200-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010120</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86527r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000192</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000069-GPOS-00037</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for >usage of uppercase letters in a password. When set to a negative number, any password will be required to >contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional >length credit for each uppercase character. Modify the <code>ucredit</code> setting in ><code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources reuiqred to compromise the password. >Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts >at guessing and brute-force attacks. ><br><br> >Password complexity is one factor of several that determines how long it takes to crack a password. The more >complex the password, the greater the number of possible combinations that need to be tested before >the password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" id="rule-detail-idm46336714505536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry unknownCCE-27160-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Retry Prompts Permitted Per-Session</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_retry</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27160-1">CCE-27160-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010119</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87811r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00225</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the number of retry prompts that are permitted per-session: ><br><br> >Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to >show <code>retry=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_retry">3</abbr></code>, or a lower value if site policy is more restrictive. ><br><br> >The DoD requirement is a maximum of 3 prompts per session.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the password retry prompts that are permitted on a per-session basis to a low value >requires some software, such as SSH, to re-connect. This can slow down and >draw additional attention to some types of password-guessing attacks. Note that this >is different from account lockout, which is provided by the pam_faillock module.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-detail-idm46336714469264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-27275-7 </div><div class="panel-heading"><h3 class="panel-title">Set Last Logon/Access Notification</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_display_login_attempts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27275-7">CCE-27275-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040530</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86899r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to notify users of last logon/access >using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings in ><code>/etc/pam.d/postlogin</code> to read as follows: ><pre>session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet >session [default=1] pam_lastlog.so nowtmp showfailed >session optional pam_lastlog.so silent noupdate showfailed</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Users need to be aware of activity that occurs regarding >their account. Providing users with information regarding the number >of unsuccessful attempts that were made to login to their account >allows the user to determine if any unauthorized activity has occurred >and gives them an opportunity to notify administrators.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-detail-idm46336714460304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-27002-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27002-5">CCE-27002-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010230</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86549r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000198</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000075-GPOS-00043</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password minimum age for new accounts, >edit the file <code>/etc/login.defs</code> >and add or correct the following line: ><pre>PASS_MIN_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></pre> >A value of 1 day is considered sufficient for many >environments. The DoD requirement is 1. >The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat >the password reuse or history enforcement requirement. If users are allowed to immediately >and continually change their password, then the password could be repeatedly changed in a >short period of time to defeat the organization's policy regarding password reuse. ><br><br> >Setting the minimum password age protects against users cycling back to a favorite password >after satisfying the password reuse requirement.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm46336714454816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-27051-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27051-2">CCE-27051-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010250</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86553r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.1.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000199</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000076-GPOS-00044</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password maximum age for new accounts, >edit the file <code>/etc/login.defs</code> >and add or correct the following line: ><pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></pre> >A value of 180 days is sufficient for many environments. >The DoD requirement is 60. >The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any password, no matter how complex, can eventually be cracked. Therefore, passwords >need to be changed periodically. If the operating system does not limit the lifetime >of passwords and force users to change their passwords, there is the risk that the >operating system passwords could be compromised. ><br><br> >Setting the password maximum age ensures users are required to >periodically change their passwords. Requiring shorter password lifetimes >increases the risk of users writing down the password in a convenient >location subject to physical compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-detail-idm46336714444816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-80521-8 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80521-8">CCE-80521-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000198</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000075-GPOS-00043</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010240</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86551r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 24 hours/1 day minimum password >lifetime by running the following command: ><pre>$ sudo chage -m 1 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enforcing a minimum password lifetime helps to prevent repeated password >changes to defeat the password reuse or history enforcement requirement. If >users are allowed to immediately and continually change their password, the >password could be repeatedly changed in a short period of time to defeat the >organization's policy regarding password reuse.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-detail-idm46336714448256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-80522-6 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80522-6">CCE-80522-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000199</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000076-GPOS-00044</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010260</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86555r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 60-day maximum password lifetime >restriction by running the following command: ><pre>$ sudo chage -M 60 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any password, no matter how complex, can eventually be cracked. Therefore, >passwords need to be changed periodically. If the operating system does >not limit the lifetime of passwords and force users to change their >passwords, there is the risk that the operating system passwords could be >compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-detail-idm46336714422608"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-27175-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Only Root Has UID 0</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27175-9">CCE-27175-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any account other than root has a UID of 0, this misconfiguration should >be investigated and the accounts other than root should be removed or >have their UID changed. ><br> >If the account is associated with system commands or applications the UID should be changed >to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that >has not already been assigned.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An account has root authority if it has a UID of 0. Multiple accounts >with a UID of 0 afford more opportunity for potential intruders to >guess a password for a privileged account. Proper configuration of >sudo is recommended to afford multiple system administrators >access to root privileges in an accountable manner.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-detail-idm46336714414288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-27355-7 </div><div class="panel-heading"><h3 class="panel-title">Set Account Expiration Following Inactivity</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27355-7">CCE-27355-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86565r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000795</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000118-GPOS-00060</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify the number of days after a password expires (which >signifies inactivity) until an account is permanently disabled, add or correct >the following lines in <code>/etc/default/useradd</code>, substituting ><code><i>NUM_DAYS</i></code> appropriately: ><pre>INACTIVE=<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">0</abbr></i></pre> >A value of 35 is recommended; however, this profile expects that the value is set to ><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">0</abbr></code>. >If a password is currently on the >verge of expiration, then 35 days remain until the account is automatically >disabled. However, if the password will not expire for another 60 days, then 95 >days could elapse until the account would be automatically disabled. See the ><code>useradd</code> man page for more information. Determining the inactivity >timeout must be done with careful consideration of the length of a "normal" >period of inactivity for users in the particular environment. Setting >the timeout too low incurs support costs and also has the potential to impact >availability of the system to legitimate users.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling inactive accounts ensures that accounts which may not >have been responsibly removed are not available to attackers >who may have compromised their credentials.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idm46336714393888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Log In to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-27286-4 </div><div class="panel-heading"><h3 class="panel-title">Prevent Log In to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27286-4">CCE-27286-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010290</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If an account is configured for password authentication >but does not have an assigned password, it may be possible to log >into the account without authentication. Remove any instances of the <code>nullok</code> >option in <code>/etc/pam.d/system-auth</code> to >prevent logins with empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If an account has an empty password, anyone could log in and >run commands with the privileges of that account. Accounts with >empty passwords should never be used in operational environments.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-detail-idm46336714390368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-27503-2 </div><div class="panel-heading"><h3 class="panel-title">All GIDs referenced in /etc/passwd must be defined in /etc/group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gid_passwd_group_same</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27503-2">CCE-27503-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86627r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.5.a</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add a group to the system for each GID referenced without a corresponding group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group >with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to >any files associated with the group.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_screen_installed" id="rule-detail-idm46336714386496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install the screen Packagexccdf_org.ssgproject.content_rule_package_screen_installed mediumCCE-27351-6 </div><div class="panel-heading"><h3 class="panel-title">Install the screen Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_screen_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27351-6">CCE-27351-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010090</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86521r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable console screen locking, install the <code>screen</code> package: ><pre>$ sudo yum install screen</pre> >Instruct users to begin new terminal sessions with the following command: ><pre>$ screen</pre> >The console can now be locked with the following key combination: ><pre>ctrl+a x</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate >physical vicinity of the information system but des not logout because of the temporary nature of the absence. >Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, >operating systems need to be able to identify when a user's session has idled and take action to initiate the >session lock. ><br><br> >The <code>screen</code> package allows for a session lock to be implemented and configured.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="rule-detail-idm46336714382656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Smart Card Loginxccdf_org.ssgproject.content_rule_smartcard_auth mediumCCE-80207-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Smart Card Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80207-4">CCE-80207-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86589r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000884</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(2)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000106-GPOS-00053</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000107-GPOS-00054</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000109-GPOS-00056</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00055</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00057</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00058</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable smart card authentication, consult the documentation at: ><ul><li><b><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards</a></b></li></ul> >For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: ><ul><li><b><a href="https://access.redhat.com/solutions/82273">https://access.redhat.com/solutions/82273</a></b></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Smart card login provides two-factor authentication stronger than >that provided by a username and password combination. Smart cards leverage PKI >(public key infrastructure) in order to provide and verify credentials.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >Running in chroot, ignoring request. >Running in chroot, ignoring request. ></message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723809296">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723809296"><pre><code> > ># Install required packages ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. ># ># Example Call(s): ># ># package_install aide ># >function package_install { > ># Load function arguments into local variables >local package="$1" > ># Check sanity of the input >if [ $# -ne "1" ] >then > echo "Usage: package_install 'package_name'" > echo "Aborting." > exit 1 >fi > >if which dnf ; then > if ! rpm -q --quiet "$package"; then > dnf install -y "$package" > fi >elif which yum ; then > if ! rpm -q --quiet "$package"; then > yum install -y "$package" > fi >elif which apt-get ; then > apt-get install -y "$package" >else > echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" > echo "Aborting." > exit 1 >fi > >} ></abbr> >package_install esc >package_install pam_pkcs11 > ># Enable pcscd.socket systemd activation socket ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_service_command"># Function to enable/disable and start/stop services on RHEL and Fedora systems. ># ># Example Call(s): ># ># service_command enable bluetooth ># service_command disable bluetooth.service ># ># Using xinetd: ># service_command disable rsh.socket xinetd=rsh ># >function service_command { > ># Load function arguments into local variables >local service_state=$1 >local service=$2 >local xinetd=$(echo $3 | cut -d'=' -f2) > ># Check sanity of the input >if [ $# -lt "2" ] >then > echo "Usage: service_command 'enable/disable' 'service_name.service'" > echo > echo "To enable or disable xinetd services add \'xinetd=service_name\'" > echo "as the last argument" > echo "Aborting." > exit 1 >fi > ># If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands >if [ -f "/usr/bin/systemctl" ] ; then > service_util="/usr/bin/systemctl" >else > service_util="/sbin/service" > chkconfig_util="/sbin/chkconfig" >fi > ># If disable is not specified in arg1, set variables to enable services. ># Otherwise, variables are to be set to disable services. >if [ "$service_state" != 'disable' ] ; then > service_state="enable" > service_operation="start" > chkconfig_state="on" >else > service_state="disable" > service_operation="stop" > chkconfig_state="off" >fi > ># If chkconfig_util is not empty, use chkconfig/service commands. >if [ "x$chkconfig_util" != x ] ; then > $service_util $service $service_operation > $chkconfig_util --level 0123456 $service $chkconfig_state >else > $service_util $service_operation $service > $service_util $service_state $service > # The service may not be running because it has been started and failed, > # so let's reset the state so OVAL checks pass. > # Service should be 'inactive', not 'failed' after reboot though. > $service_util reset-failed $service >fi > ># Test if local variable xinetd is empty using non-bashism. ># If empty, then xinetd is not being used. >if [ "x$xinetd" != x ] ; then > grep -qi disable /etc/xinetd.d/$xinetd && \ > > if [ "$service_operation" = 'disable' ] ; then > sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd > else > sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd > fi >fi > >} ></abbr> >service_command enable pcscd.socket > ># Configure the expected /etc/pam.d/system-auth{,-ac} settings directly ># ># The code below will configure system authentication in the way smart card ># logins will be enabled, but also user login(s) via other method to be allowed ># ># NOTE: It is not possible to use the 'authconfig' command to perform the ># remediation for us, because call of 'authconfig' would discard changes ># for other remediations (see RH BZ#1357019 for details) ># ># Therefore we need to configure the necessary settings directly. ># > ># Define system-auth config location >SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" ># Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF >PAM_ENV_SO="auth.*required.*pam_env.so" > ># Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF >SYSTEM_AUTH_PAM_SUCCEED="\ >auth [success=1 default=ignore] pam_succeed_if.so service notin \ >login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" ># Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED ># row into SYSTEM_AUTH_CONF file >SYSTEM_AUTH_PAM_PKCS11="\ >auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \ >pam_pkcs11.so nodebug" > ># Define smartcard-auth config location >SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" ># Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF >SMARTCARD_AUTH_SECTION="\ >auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only" ># Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF >PAM_PERMIT_SO="account.*required.*pam_permit.so" ># Define 'pam_pkcs11.so' password section >SMARTCARD_PASSWORD_SECTION="\ >password required pam_pkcs11.so" > ># First Correct the SYSTEM_AUTH_CONF configuration >if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" >then > # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file > # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added > # in SYSTEM_AUTH_CONF file > # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" > echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" >fi > ># Then also correct the SMARTCARD_AUTH_CONF >if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" >then > # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file > sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" > # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file > sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" >fi > ># Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below ># Define selected constants for later reuse >SP="[:space:]" >PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" > ># Ensure OCSP is turned on in $PAM_PKCS11_CONF ># 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration >sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" ># 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, ># which does not contain it yet >sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF" ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Anaconda snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723803152">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723803152"><pre><code> >package --add=pam_pkcs11 --add=esc ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_install_smartcard_packages" id="rule-detail-idm46336714357664"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages mediumCCE-80519-2 </div><div class="panel-heading"><h3 class="panel-title">Install Smart Card Packages For Multifactor Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_smartcard_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80519-2">CCE-80519-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041001</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87041r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to implement multifactor authentication by >installing the required packages with the following command: ><pre>$ sudo yum install esc pam_pkcs11 authconfig-gtk</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from >the information system, ensures that even if the information system is >compromised, that compromise will not affect credentials stored on the >authentication device. ><br><br> >Multifactor solutions that require devices separate from >information systems gaining access include, for example, hardware tokens >providing time-based or challenge-response authenticators and smart cards such >as the U.S. Government Personal Identity Verification card and the DoD Common >Access Card.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >Loaded plugins: product-id, search-disabled-repos, subscription-manager >This system is not registered with an entitlement server. You can use subscription-manager to register. >There are no enabled repos. > Run "yum repolist all" to see the repos you have. > To enable Red Hat Subscription Management repositories: > subscription-manager repos --enable <repo> > To enable custom repositories: > yum-config-manager --enable <repo> ></message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723806528">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723806528"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. ># ># Example Call(s): ># ># package_install aide ># >function package_install { > ># Load function arguments into local variables >local package="$1" > ># Check sanity of the input >if [ $# -ne "1" ] >then > echo "Usage: package_install 'package_name'" > echo "Aborting." > exit 1 >fi > >if which dnf ; then > if ! rpm -q --quiet "$package"; then > dnf install -y "$package" > fi >elif which yum ; then > if ! rpm -q --quiet "$package"; then > yum install -y "$package" > fi >elif which apt-get ; then > apt-get install -y "$package" >else > echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" > echo "Aborting." > exit 1 >fi > >} ></abbr> >package_install esc >package_install pam_pkcs11 ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. ># ># Example Call(s): ># ># package_install aide ># >function package_install { > ># Load function arguments into local variables >local package="$1" > ># Check sanity of the input >if [ $# -ne "1" ] >then > echo "Usage: package_install 'package_name'" > echo "Aborting." > exit 1 >fi > >if which dnf ; then > if ! rpm -q --quiet "$package"; then > dnf install -y "$package" > fi >elif which yum ; then > if ! rpm -q --quiet "$package"; then > yum install -y "$package" > fi >elif which apt-get ; then > apt-get install -y "$package" >else > echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" > echo "Aborting." > exit 1 >fi > >} ></abbr> >package_install authconfig-gtk ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-detail-idm46336714372416"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Smart Card Certificate Status Checkingxccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking mediumCCE-80520-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Smart Card Certificate Status Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80520-0">CCE-80520-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041003</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87057r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to do certificate status checking for PKI >authentication. Modify all of the <code>cert_policy</code> lines in ><code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include <code>ocsp_on</code> like so: ><pre>cert_policy = ca, ocsp_on, signature;</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from >the information system, ensures that even if the information system is >compromised, that compromise will not affect credentials stored on the >authentication device. ><br><br> >Multifactor solutions that require devices separate from >information systems gaining access include, for example, hardware tokens >providing time-based or challenge-response authenticators and smart cards such >as the U.S. Government Personal Identity Verification card and the DoD Common >Access Card.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idm46336714369824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-27287-2 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27287-2">CCE-27287-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010481</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92519r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010481</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92519r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Single-user mode is intended as a system recovery >method, providing a single user root access to the system by >providing a boot option at startup. By default, no authentication >is performed if single-user mode is selected. ><br><br> >By default, single-user mode is protected by requiring a password and is set >in <code>/usr/lib/systemd/system/rescue.service</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This prevents attackers with physical access from trivially bypassing security >on the machine and gaining root access. Such accesses are further prevented >by configuring the bootloader password.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-detail-idm46336714347328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-27511-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Reboot Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27511-5">CCE-27511-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020230</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86617r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> >key sequence is pressed. ><br><br> >To configure the system to ignore the <code>Ctrl-Alt-Del</code> key sequence from the >command line instead of rebooting the system, do either of the following: ><pre>ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre> >or ><pre>systemctl mask ctrl-alt-del.target</pre> ><br><br> >Do not simply delete the <code>/usr/lib/systemd/system/ctrl-alt-del.service</code> file, >as this file may be restored during future system updates.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, >can reboot the system. If accidentally pressed, as could happen in >the case of mixed OS environment, this can create the risk of short-term >loss of availability of systems due to unintentional reboot.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Disabling the <code>Ctrl-Alt-Del</code> key sequence >in <code>/etc/init/control-alt-delete.conf</code> DOES NOT disable the <code>Ctrl-Alt-Del</code> >key sequence if running in <code>runlevel 6</code> (e.g. in GNOME, KDE, etc.)! The ><code>Ctrl-Alt-Del</code> key sequence will only be disabled if running in >the non-graphical <code>runlevel 3</code>.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Created symlink /etc/systemd/system/ctrl-alt-del.target, pointing to /dev/null. ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-detail-idm46336714336880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-26970-4 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Login Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26970-4">CCE-26970-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86483r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="">OS-SRG-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, displaying a login warning banner >in the GNOME Display Manager's login screen can be enabled on the login >screen by setting <code>banner-message-enable</code> to <code>true</code>. ><br><br> >To enable, add or edit <code>banner-message-enable</code> to ><code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: ><pre>[org/gnome/login-screen] >banner-message-enable=true</pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/login-screen/banner-message-enable</pre> >After the settings have been set, run <code>dconf update</code>. >The banner text must also be set.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system >ensures privacy and security notification verbiage used is consistent with applicable federal laws, >Executive Orders, directives, policies, regulations, standards, and guidance. ><br><br> >For U.S. Government systems, system use notifications are required only for access via login interfaces >with human users and are not required when such human interfaces do not exist.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-detail-idm46336714333056"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-26892-0 </div><div class="panel-heading"><h3 class="panel-title">Set the GNOME3 Login Warning Banner Text</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26892-0">CCE-26892-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86485r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, configuring the login warning banner text >in the GNOME Display Manager's login screen can be configured on the login >screen by setting <code>banner-message-text</code> to <code>string '<i>APPROVED_BANNER</i>'</code> >where <i>APPROVED_BANNER</i> is the approved banner for your environment. ><br><br> >To enable, add or edit <code>banner-message-text</code> to ><code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: ><pre>[org/gnome/login-screen] >banner-message-text='<i>APPROVED_BANNER</i>'</pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/login-screen/banner-message-text</pre> >After the settings have been set, run <code>dconf update</code>. >When entering a warning banner that spans several lines, remember >to begin and end the string with <code>'</code> and use <code>\n</code> for new lines.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An appropriate warning message reinforces policy awareness during the logon >process and facilitates possible legal action against attackers.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-detail-idm46336714323808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-27303-7 </div><div class="panel-heading"><h3 class="panel-title">Modify the System Login Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_banner_etc_issue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27303-7">CCE-27303-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010050</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86487r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system login banner edit <code>/etc/issue</code>. Replace >the default text with a message compliant with the local site policy >or a legal disclaimer. > >The DoD required text is either: ><br><br> ><code>You are accessing a U.S. Government (USG) Information System (IS) that is >provided for USG-authorized use only. By using this IS (which includes any >device attached to this IS), you consent to the following conditions: ><br>-The USG routinely intercepts and monitors communications on this IS for purposes >including, but not limited to, penetration testing, COMSEC monitoring, network >operations and defense, personnel misconduct (PM), law enforcement (LE), and >counterintelligence (CI) investigations. ><br>-At any time, the USG may inspect and seize data stored on this IS. ><br>-Communications using, or data stored on, this IS are not private, are subject >to routine monitoring, interception, and search, and may be disclosed or used >for any USG-authorized purpose. ><br>-This IS includes security measures (e.g., authentication and access controls) >to protect USG interests -- not for your personal benefit or privacy. ><br>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative >searching or monitoring of the content of privileged communications, or work >product, related to personal representation or services by attorneys, >psychotherapists, or clergy, and their assistants. Such communications and work >product are private and confidential. See User Agreement for details.</code> ><br><br> >OR: ><br><br> ><code>I've read & consent to terms in IS user agreem't.</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system >ensures privacy and security notification verbiage used is consistent with applicable federal laws, >Executive Orders, directives, policies, regulations, standards, and guidance. ><br><br> >System use notifications are required only for access via login interfaces with human users and >are not required when such human interfaces do not exist.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" id="rule-detail-idm46336714306576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users mediumCCE-80536-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly For Interactive Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80536-6">CCE-80536-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86673r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Remove the <code>UMASK</code> environment variable from all interactive users initialization files.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask controls the default access mode assigned to newly created files. A >umask of 077 limits new files to mode 700 or less permissive. Although umask can >be represented as a four-digit number, the first digit representing special >access modes is typically ignored or required to be 0. This requirement >applies to the globally configured system defaults and the local interactive >user defaults for each account on the system.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-detail-idm46336714304160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs unknownCCE-80205-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80205-8">CCE-80205-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020240</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86619r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, >add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: ><pre>UMASK <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created. >A misconfigured umask value could result in files with excessive permissions that can be read and >written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" id="rule-detail-idm46336714293408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-80523-4 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Not Run World-Writable Programs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80523-4">CCE-80523-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86661r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode on files being executed by the user initialization files with the >following command: ><pre>$ sudo chmod 0755 <i>FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If user start-up files execute world-writable programs, especially in >unprotected directories, they could be maliciously modified to destroy user >files or otherwise compromise the system at the user level. If the system is >compromised at the user level, it is easier to elevate privileges to eventually >compromise the system at the root and network level.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-detail-idm46336714290528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-27557-8 </div><div class="panel-heading"><h3 class="panel-title">Set Interactive Session Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_tmout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27557-8">CCE-27557-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040160</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86847r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000361</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that >all user sessions will terminate based on inactivity. The <code>TMOUT</code> >setting in <code>/etc/profile</code> should read as follows: ><pre>TMOUT=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_tmout">600</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Terminating an idle session within a short time period reduces >the window of opportunity for unauthorized personnel to take control of a >management session enabled on the console or console port that has been >left unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" id="rule-detail-idm46336714284992"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Be Owned By the Primary Userxccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership mediumCCE-80527-5 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Be Owned By the Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80527-5">CCE-80527-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86653r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the owner of the user initialization files for interactive users to >the primary owner with the following command: ><pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files are used to configure the user's shell environment >upon logon. Malicious modification of these files could compromise accounts upon >logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_permission_user_init_files" id="rule-detail-idm46336714282400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files mediumCCE-80525-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permission_user_init_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80525-9">CCE-80525-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86657r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode of the user initialization files to <code>0740</code> with the >following command: ><pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files are used to configure the user's shell environment >upon logon. Malicious modification of these files could compromise accounts upon >logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" id="rule-detail-idm46336714278848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership mediumCCE-80526-7 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80526-7">CCE-80526-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86655r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group owner of interactive users files to the group found >in <pre>/etc/passwd</pre> for the user. To change the group owner of a local >interactive user home directory, use the following command: ><pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/.<i>INIT_FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files for interactive users are used to configure the >user's shell environment upon logon. Malicious modification of these files could >compromise accounts upon logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" id="rule-detail-idm46336714275504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-80529-1 </div><div class="panel-heading"><h3 class="panel-title">All Interactive Users Home Directories Must Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80529-1">CCE-80529-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86639r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Create home directories to all interactive users that currently do not >have a home directory assigned. Use the following commands to create the user >home directory assigned in <code>/etc/passwd</code>: ><pre>$ sudo mkdir /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user has a home directory defined that does not exist, >the user may be given access to the / directory as the current working directory >upon logon. This could create a Denial of Service because the user would not be >able to access their logon configuration files, and it may give them visibility >to system files they normally would not be able to access.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" id="rule-detail-idm46336714270240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership mediumCCE-80534-1 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80534-1">CCE-80534-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86649r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group of a local interactive users files and directories to a >group that the interactive user is a member of. To change the group owner of a >local interactive users files and directories, use the following command: ><pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/<i>FILE_DIR</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive users files are group-owned by a group of which the >user is not a member, unintended users may be able to access them.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" id="rule-detail-idm46336714267280"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay unknownCCE-80352-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Logon Failure Delay is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80352-8">CCE-80352-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86575r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00226</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, >add or correct the <code>FAIL_DELAY</code> setting in <code>/etc/login.defs</code> to read as follows: ><pre>FAIL_DELAY <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_fail_delay">4</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Increasing the time between a failed authentication attempt and re-prompting to >enter credentials helps to slow a single-threaded brute force attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" id="rule-detail-idm46336714248960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Home Directories are Created for New Usersxccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs mediumCCE-80434-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Home Directories are Created for New Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80434-4">CCE-80434-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86637r1_rule</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>All local interactive user accounts, upon creation, should be assigned a home directory. ><br><br> >Configure the operating system to assign home directories to all new local interactive users by setting the <code>CREATE_HOME</code> >parameter in <code>/etc/login.defs</code> to <code>yes</code> as follows: ><br><br> ><pre>CREATE_HOME yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users are not assigned a valid home directory, there is no place >for the storage and control of files they should own.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-detail-idm46336714260560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-27081-9 </div><div class="panel-heading"><h3 class="panel-title">Limit the Number of Concurrent Login Sessions Allowed Per User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27081-9">CCE-27081-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86841r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000027-GPOS-00008</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limiting the number of allowed users and sessions per user can limit risks related to Denial of >Service attacks. This addresses concurrent sessions for a single account and does not address >concurrent sessions by a single user via multiple accounts. To set the number of concurrent >sessions per user add the following line in <code>/etc/security/limits.conf</code>: ><pre>* hard maxlogins <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions">10</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Limiting simultaneous user logins can insulate the system from denial of service >problems caused by excessive logins. Automated login processes operating improperly or >maliciously may result in an exceptional number of simultaneous login sessions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" id="rule-detail-idm46336714243040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions mediumCCE-80535-8 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80535-8">CCE-80535-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86651r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode on files and directories in the local interactive user home >directory with the following command: ><pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user files have excessive permissions, unintended users >may be able to access or modify them.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" id="rule-detail-idm46336714240304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only mediumCCE-80524-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure that Users Path Contains Only Local Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80524-2">CCE-80524-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86659r3_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure that all interactive user initialization files executable search >path statements do not contain statements that will reference a working >directory other than the users home directory.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The executable search path (typically the PATH environment variable) contains a >list of directories for the shell to search to find executables. If this path >includes the current working directory (other than the users home directory), >executables in these directories may be executed instead of system commands. >This variable is formatted as a colon-separated list of directories. If there is >an empty entry, such as a leading or trailing colon or two consecutive colons, >this is interpreted as the current working directory. If deviations from the >default system search path for the local interactive user are required, they >must be documented with the Information System Security Officer (ISSO).</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" id="rule-detail-idm46336714237040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-80532-5 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupownership_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80532-5">CCE-80532-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86645r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group owner of interactive users home directory to the >group found in <code>/etc/passwd</code>. To change the group owner of >interactive users home directory, use the following command: ><pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the Group Identifier (GID) of a local interactive users home directory is >not the same as the primary GID of the user, this would allow unauthorized >access to the users files, and users that share the same group may not be >able to access files that they legitimately should.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" id="rule-detail-idm46336714233696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined mediumCCE-80528-3 </div><div class="panel-heading"><h3 class="panel-title">All Interactive Users Must Have A Home Directory Defined</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80528-3">CCE-80528-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86635r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Assign home directories to all interactive users that currently do not >have a home directory assigned.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users are not assigned a valid home directory, there is no >place for the storage and control of files they should own.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" id="rule-detail-idm46336714230240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Be Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership mediumCCE-80533-3 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Be Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80533-3">CCE-80533-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86647r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the owner of a interactive users files and directories to that >owner. To change the of a local interactive users files and >directories, use the following command: ><pre>$ sudo chown -R <i>USER</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users do not own the files in their directories, >unauthorized users may be able to access them. Additionally, if files are not >owned by the user, this could be an indication of system compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_home_directories" id="rule-detail-idm46336714227248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Be Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_ownership_home_directories mediumCCE-80531-7 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Be Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80531-7">CCE-80531-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86643r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the owner of interactive users home directories to that correct >owner. To change the owner of a interactive users home directory, use >the following command: ><pre>$ sudo chown <i>USER</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user does not own their home directory, unauthorized >users could access or modify the user's files, and the users may not be able to >access their own files.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_home_directories" id="rule-detail-idm46336714224000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-80530-9 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Have mode 0750 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80530-9">CCE-80530-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86641r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the mode of interactive users home directories to <code>0750</code>. To >change the mode of interactive users home directory, use the >following command: ><pre>$ sudo chmod 0750 /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Excessive permissions on local interactive user home directories may allow >unauthorized access to user files by other users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" id="rule-detail-idm46336714175232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-80135-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:47</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80135-7">CCE-80135-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86633r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a group, then the >cause of their lack of group-ownership should be investigated. >Following this, the files should be deleted or assigned to an >appropriate group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unowned files do not directly imply a security problem, but they are generally >a sign that something is amiss. They may >be caused by an intruder, by incorrect software installation or >draft software removal, or by failure to remove all files belonging >to a deleted account. The files should be repaired so they >will not cause problems when accounts are created in the future, >and the cause should be discovered and addressed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-detail-idm46336714171264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All World-Writable Directories Are Owned by a System Accountxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned unknownCCE-80136-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure All World-Writable Directories Are Owned by a System Account</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:50</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80136-5">CCE-80136-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86671r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>All directories in local partitions which are >world-writable should be owned by root or another >system account. If any world-writable directories are not >owned by a system account, this should be investigated. >Following this, the files should be deleted or assigned to an >appropriate group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing a user account to own a world-writable directory is >undesirable because it allows the owner of that directory to remove >or replace any files that may be placed in the directory by other >users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" id="rule-detail-idm46336714167328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-80134-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_files_unowned_by_user</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80134-0">CCE-80134-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86631r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a user, then the >cause of their lack of ownership should be investigated. >Following this, the files should be deleted or assigned to an >appropriate user.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unowned files do not directly imply a security problem, but they are generally >a sign that something is amiss. They may >be caused by an intruder, by incorrect software installation or >draft software removal, or by failure to remove all files belonging >to a deleted account. The files should be repaired so they >will not cause problems when accounts are created in the future, >and the cause should be discovered and addressed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm46336714140560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-27127-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27127-0">CCE-27127-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040201</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92521r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> >If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>kernel.randomize_va_space = 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Address space layout randomization (ASLR) makes it more difficult >for an attacker to predict the location of attack code they have introduced >into a process's address space during an attempt at exploitation. Additionally, ASLR >makes it more difficult for an attacker to know the location of existing code >in order to re-purpose it using return oriented programming (ROP) techniques.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-detail-idm46336714117104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid unknownCCE-81153-9 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81153-9">CCE-81153-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86665r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent >execution of setuid programs in <code>/home</code>. The SUID and SGID permissions >should not be required in these user data directories. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of ><code>/home</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users >should not be able to execute SUID or SGID binaries from user home directory partitions.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-detail-idm46336714108880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions unknownCCE-80148-0 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to Removable Media Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80148-0">CCE-80148-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86667r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.19</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option prevents set-user-identifier (SUID) >and set-group-identifier (SGID) permissions from taking effect. These permissions >allow users to execute binaries with the same permissions as the owner and group >of the file respectively. Users should not be allowed to introduce SUID and SGID >files into the system via partitions mounted from removeable media. >Add the <code>nosuid</code> option to the fourth column of ><code>/etc/fstab</code> for the line which controls mounting of > > any removable media partitions.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Allowing >users to introduce SUID or SGID binaries from partitions mounted off of >removable media would allow them to introduce their own highly-privileged programs.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" id="rule-detail-idm46336714083168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-27277-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Modprobe Loading of USB Storage Driver</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27277-3">CCE-27277-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86607r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.21</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-0016</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To prevent USB storage devices from being used, configure the kernel module loading system >to prevent automatic loading of the USB storage driver. > >To configure the system to prevent the <code>usb-storage</code> >kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: ><pre>install usb-storage /bin/true</pre> >This will prevent the <code>modprobe</code> program from loading the <code>usb-storage</code> >module, but will not prevent an administrator (or another program) from using the ><code>insmod</code> program to load the module manually.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>USB storage devices such as thumb drives can be used to introduce >malicious software.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/usb-storage.conf: No such file or directory ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-detail-idm46336714055344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-27498-5 </div><div class="panel-heading"><h3 class="panel-title">Disable the Automounter</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_autofs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27498-5">CCE-27498-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86609r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-00163</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>autofs</code> daemon mounts and unmounts filesystems, such as user >home directories shared via NFS, on demand. In addition, autofs can be used to handle >removable media, and the default configuration provides the cdrom device as <code>/misc/cd</code>. >However, this method of providing access to removable media is not common, so autofs >can almost always be disabled if NFS is not in use. Even if NFS is required, it may be >possible to configure filesystem mounts statically by editing <code>/etc/fstab</code> >rather than relying on the automounter. ><br><br> > >The <code>autofs</code> service can be disabled with the following command: ><pre>$ sudo systemctl disable autofs.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling the automounter permits the administrator to >statically control filesystem mounting through <code>/etc/fstab</code>. ><br><br> >Additionally, automatically mounting filesystems permits easy introduction of >unknown devices, thereby facilitating malicious activity.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" id="rule-detail-idm46336714043808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Encrypt Audit Records Sent With audispd Pluginxccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records mediumCCE-80540-8 </div><div class="panel-heading"><h3 class="panel-title">Encrypt Audit Records Sent With audispd Plugin</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80540-8">CCE-80540-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86709r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to encrypt the transfer of off-loaded audit >records onto a different system or media from the system being audited. >Uncomment the <code>enable_krb5</code> option in <pre>/etc/audisp/audisp-remote.conf</pre>, >and set it with the following line: ><pre>enable_krb5 = yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Information stored in one location is vulnerable to accidental or incidental deletion >or alteration. Off-loading is a common process in information systems with limited >audit storage capacity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" id="rule-detail-idm46336714040944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd Plugin To Send Logs To Remote Serverxccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server mediumCCE-80541-6 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd Plugin To Send Logs To Remote Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80541-6">CCE-80541-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86707r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the audispd plugin to off-load audit records onto a different >system or media from the system being audited. >Set the <code>remote_server</code> option in <pre>/etc/audisp/audisp-remote.conf</pre> >with an IP address or hostname of the system that the audispd plugin should >send audit records to. For example replacing <i>REMOTE_SYSTEM</i> with an IP >address or hostname: ><pre>remote_server = <i>REMOTE_SYSTEM</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Information stored in one location is vulnerable to accidental or incidental >deletion or alteration.Off-loading is a common process in information systems >with limited audit storage capacity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" id="rule-detail-idm46336714037600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd's Plugin network_failure_action On Network Failurexccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action mediumCCE-80538-2 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd's Plugin network_failure_action On Network Failure</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80538-2">CCE-80538-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030321</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87815r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the action the operating system takes if there is an error sending >audit records to a remote system. Edit the file <code>/etc/audisp/audisp-remote.conf</code>. >Add or modify the following line, substituting <i>ACTION</i> appropriately: ><pre>network_failure_action = <i>ACTION</i></pre> >Set this value to <code>single</code> to cause the system to switch to single user >mode for corrective action. Acceptable values also include <code>syslog</code> and ><code>halt</code>. For certain systems, the need for availability >outweighs the need to log all actions, and a different setting should be >determined.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Taking appropriate action when there is an error sending audit records to a >remote system will minimize the possibility of losing audit records.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" id="rule-detail-idm46336714029600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-80537-4 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd space_left on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80537-4">CCE-80537-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86713r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action >when disk space is running low but prior to running out of space completely. >Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line, >substituting <i>SIZE_in_MB</i> appropriately: ><pre>space_left = <i>SIZE_in_MB</i></pre> >Set this value to the appropriate size in Megabytes cause the system to >notify the user of an issue.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Notifying administrators of an impending disk space problem may allow them to >take corrective action prior to any disruption.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-detail-idm46336714024208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-27394-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd mail_acct Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27394-6">CCE-27394-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86717r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7.a</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to send email to >a designated account in certain situations. Add or correct the following line >in <code>/etc/audit/auditd.conf</code> to ensure that administrators are notified >via email for those situations: ><pre>action_mail_acct = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct">root</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Email sent to the root account is typically aliased to the >administrators of the system, who can take appropriate action.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" id="rule-detail-idm46336714019136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-27375-5 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd space_left Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27375-5">CCE-27375-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action >when disk space <i>starts</i> to run low. >Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line, >substituting <i>ACTION</i> appropriately: ><pre>space_left_action = <i>ACTION</i></pre> >Possible values for <i>ACTION</i> are described in the <code>auditd.conf</code> man page. >These include: ><ul><li><code>syslog</code></li><li><code>email</code></li><li><code>exec</code></li><li><code>suspend</code></li><li><code>single</code></li><li><code>halt</code></li></ul> >Set this to <code>email</code> (instead of the default, >which is <code>suspend</code>) as it is more likely to get prompt attention. Acceptable values >also include <code>suspend</code>, <code>single</code>, and <code>halt</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Notifying administrators of an impending disk space problem may >allow them to take corrective action prior to any disruption.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" id="rule-detail-idm46336714004880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd's Plugin disk_full_action When Disk Is Fullxccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action mediumCCE-80539-0 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd's Plugin disk_full_action When Disk Is Full</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80539-0">CCE-80539-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86711r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the action the operating system takes if the disk the audit records >are written to becomes full. Edit the file <code>/etc/audisp/audisp-remote.conf</code>. >Add or modify the following line, substituting <i>ACTION</i> appropriately: ><pre>disk_full_action = <i>ACTION</i></pre> >Set this value to <code>single</code> to cause the system to switch to single user >mode for corrective action. Acceptable values also include <code>syslog</code> and ><code>halt</code>. For certain systems, the need for availability >outweighs the need to log all actions, and a different setting should be >determined.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Taking appropriate action in case of a filled audit storage volume will >minimize the possibility of losing audit records.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" id="rule-detail-idm46336713995024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Unloading - rmmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod mediumCCE-80416-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Unloading - rmmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80416-1">CCE-80416-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030850</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86817r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of rmmod, utility used to remove modules from kernel, >add the following line: ><pre>-w /usr/sbin/rmmod -p x -k modules</pre> >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The removal of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/audit/audit.rules: No such file or directory ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" id="rule-detail-idm46336713970336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80415-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Unloading - delete_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80415-3">CCE-80415-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030830</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86813r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module unloading events, use following line, setting ARCH to >either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: ><pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre> > >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The removal of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" id="rule-detail-idm46336713986304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe mediumCCE-80417-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80417-9">CCE-80417-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030860</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86819r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of modprobe, utility used to insert / remove modules from kernel, >add the following line: ><pre>-w /usr/sbin/modprobe -p x -k modules</pre> >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition/removal of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="rule-detail-idm46336713961840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-80547-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80547-3">CCE-80547-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030821</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93707r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program >to read audit rules during daemon startup (the default), add the following lines to a file >with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> to capture kernel module >loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: ><pre>-a always,exit -F arch=<i>ARCH</i> -S finit_module -F key=modules</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit >rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file >in order to capture kernel module loading and unloading events, setting ARCH to either b32 or >b64 as appropriate for your system: ><pre>-a always,exit -F arch=<i>ARCH</i> -S finit_module -F key=modules</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition/removal of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" id="rule-detail-idm46336713946960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - insmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod mediumCCE-80446-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - insmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80446-8">CCE-80446-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030840</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86815r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of insmod, utility used to insert modules into kernel, >use the following line: ><pre>-w /usr/sbin/insmod -p x -k modules</pre> >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" id="rule-detail-idm46336713967728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - create_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create medium</div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - create_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030819</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93705r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module loading events, use following line, setting ARCH to >either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: ><pre>-a always,exit -F arch=<i>ARCH</i> -S create_module -F key=modules</pre> > >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="rule-detail-idm46336713917920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80414-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - init_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80414-6">CCE-80414-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030820</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86811r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module loading events, use following line, setting ARCH to >either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: ><pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre> > >Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured >to use the <code>augenrules</code> program (the default), add the line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. > >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, >add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of >the kernel and potentially introduce malicious code into kernel space. It is important >to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-detail-idm46336713894528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-80384-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - lastlog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80384-1">CCE-80384-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86771r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users >and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual >edits of files involved in storing logon events: ><pre>-w /var/log/lastlog -p wa -k logins</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual >edits of files involved in storing logon events: ><pre>-w /var/log/lastlog -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such >as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-detail-idm46336713932096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-80383-3 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - faillock</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80383-3">CCE-80383-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86769r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users >and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual >edits of files involved in storing logon events: ><pre>-w /var/run/faillock/ -p wa -k logins</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual >edits of files involved in storing logon events: ><pre>-w /var/run/faillock/ -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such >as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-detail-idm46336713880896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-80382-5 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - tallylog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80382-5">CCE-80382-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86767r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users >and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual >edits of files involved in storing logon events: ><pre>-w /var/log/tallylog -p wa -k logins</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual >edits of files involved in storing logon events: ><pre>-w /var/log/tallylog -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such >as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" id="rule-detail-idm46336713847312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown unknownCCE-27356-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27356-5">CCE-27356-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030380</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86723r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" id="rule-detail-idm46336713842288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr unknownCCE-27213-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - setxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27213-8">CCE-27213-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86735r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-detail-idm46336713817312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown unknownCCE-27364-9 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27364-9">CCE-27364-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030370</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86721r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured to >use the <code>augenrules</code> program to read audit rules during daemon startup >(the default), add the following line to a file with suffix <code>.rules</code> in >the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" id="rule-detail-idm46336713802224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr unknownCCE-27280-7 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27280-7">CCE-27280-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86739r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-detail-idm46336713787072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod unknownCCE-27339-1 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27339-1">CCE-27339-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030410</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86729r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured to >use the <code>augenrules</code> program to read audit rules during daemon startup >(the default), add the following line to a file with suffix <code>.rules</code> in >the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" id="rule-detail-idm46336713771728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat unknownCCE-27388-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmodat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27388-8">CCE-27388-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86733r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured to >use the <code>augenrules</code> program to read audit rules during daemon startup >(the default), add the following line to a file with suffix <code>.rules</code> in >the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" id="rule-detail-idm46336713756800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-27367-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - removexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27367-2">CCE-27367-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86741r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> >program to read audit rules during daemon startup (the default), add the >following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" id="rule-detail-idm46336713741920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-27353-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27353-2">CCE-27353-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030480</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86743r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. ><br><br> >If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" id="rule-detail-idm46336713726688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat unknownCCE-27387-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchownat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27387-0">CCE-27387-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030400</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86727r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" id="rule-detail-idm46336713711776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod unknownCCE-27393-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27393-8">CCE-27393-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030420</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86731r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured to >use the <code>augenrules</code> program to read audit rules during daemon startup >(the default), add the following line to a file with suffix <code>.rules</code> in >the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" id="rule-detail-idm46336713696656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-27410-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27410-0">CCE-27410-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030490</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86745r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. ><br><br> >If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> ><br><br> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" id="rule-detail-idm46336713681648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr unknownCCE-27389-6 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27389-6">CCE-27389-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86737r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" id="rule-detail-idm46336713666896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown unknownCCE-27083-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27083-5">CCE-27083-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030390</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86725r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission >changes for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following line to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> >If the system is 64 bit then also add the following line: ><pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to >gain access to information that would otherwise be disallowed. Auditing DAC modifications >can facilitate the identification of patterns of abuse among both authorized and >unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-detail-idm46336713651424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles medium</div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setfiles</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030590</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86765r4_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt >of the <code>setfiles</code> command for all users and root. If the <code>auditd</code> >daemon is configured to use the <code>augenrules</code> program to read audit rules >during daemon startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-detail-idm46336713634224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-80392-4 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setsebool</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80392-4">CCE-80392-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030570</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86761r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt >of the <code>setsebool</code> command for all users and root. If the <code>auditd</code> >daemon is configured to use the <code>augenrules</code> program to read audit rules >during daemon startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-detail-idm46336713829440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-80391-6 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run semanage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80391-6">CCE-80391-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030560</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86759r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt >of the <code>semanage</code> command for all users and root. If the <code>auditd</code> >daemon is configured to use the <code>augenrules</code> program to read audit rules >during daemon startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-detail-idm46336713833408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-80393-2 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run chcon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80393-2">CCE-80393-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030580</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86763r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt >of the <code>chcon</code> command for all users and root. If the <code>auditd</code> >daemon is configured to use the <code>augenrules</code> program to read audit rules >during daemon startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" id="rule-detail-idm46336713590384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-80412-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - rmdir</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80412-0">CCE-80412-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030900</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86827r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed >from the system. The audit trail could aid in system troubleshooting, as well as, detecting >malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" id="rule-detail-idm46336713616672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - unlinkat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030920</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86831r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed >from the system. The audit trail could aid in system troubleshooting, as well as, detecting >malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" id="rule-detail-idm46336713620352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - rename</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030880</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86823r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed >from the system. The audit trail could aid in system troubleshooting, as well as, detecting >malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" id="rule-detail-idm46336713567152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80413-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - renameat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80413-8">CCE-80413-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030890</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86825r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed >from the system. The audit trail could aid in system troubleshooting, as well as, detecting >malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" id="rule-detail-idm46336713569424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - unlink</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030910</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86829r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed >from the system. The audit trail could aid in system troubleshooting, as well as, detecting >malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" id="rule-detail-idm46336713512704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-80405-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - umount</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80405-4">CCE-80405-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030750</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86797r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" id="rule-detail-idm46336713497248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-80395-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - passwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80395-7">CCE-80395-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86773r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" id="rule-detail-idm46336713482592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-80407-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80407-0">CCE-80407-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030770</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86801r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" id="rule-detail-idm46336713468048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-80398-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - chage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80398-1">CCE-80398-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86779r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" id="rule-detail-idm46336713452976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-27437-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27437-3">CCE-27437-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030360</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86719r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002234</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000327-GPOS-00127</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. To find the relevant setuid / >setgid programs, run the following command for each local partition ><i>PART</i>: ><pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null</pre> >If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> >program to read audit rules during daemon startup (the default), add a line of >the following form to a file with suffix <code>.rules</code> in the directory ><code>/etc/audit/rules.d</code> for each setuid / setgid program on the system, >replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid / >setgid program in the list: ><pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code> for each setuid / setgid program on the >system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that >setuid / setgid program in the list: ><pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > This rule checks for multiple syscalls related to privileged commands; >it was written with DISA STIG in mind. Other policies should use a >separate rule for each syscall that needs to be checked. For example: ><ul><li><code>audit_rules_privileged_commands_su</code></li><li><code>audit_rules_privileged_commands_umount</code></li><li><code>audit_rules_privileged_commands_passwd</code></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336719758016">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336719758016"><pre><code> > ># Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_perform_audit_rules_privileged_commands_remediation"># Function to perform remediation for 'audit_rules_privileged_commands' rule ># ># Expects two arguments: ># ># audit_tool tool used to load audit rules ># One of 'auditctl' or 'augenrules' ># ># min_auid Minimum original ID the user logged in with ># '500' for RHEL-6 and before, '1000' for RHEL-7 and after. ># ># Example Call(s): ># ># perform_audit_rules_privileged_commands_remediation "auditctl" "500" ># perform_audit_rules_privileged_commands_remediation "augenrules" "1000" ># >function perform_audit_rules_privileged_commands_remediation { ># ># Load function arguments into local variables >local tool="$1" >local min_auid="$2" > ># Check sanity of the input >if [ $# -ne "2" ] >then > echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" > echo "Aborting." > exit 1 >fi > >declare -a files_to_inspect=() > ># Check sanity of the specified audit tool >if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] >then > echo "Unknown audit rules loading tool: $1. Aborting." > echo "Use either 'auditctl' or 'augenrules'!" > exit 1 ># If the audit tool is 'auditctl', then: ># * add '/etc/audit/audit.rules'to the list of files to be inspected, ># * specify '/etc/audit/audit.rules' as the output audit file, where ># missing rules should be inserted >elif [ "$tool" == 'auditctl' ] >then > files_to_inspect=("/etc/audit/audit.rules") > output_audit_file="/etc/audit/audit.rules" ># ># If the audit tool is 'augenrules', then: ># * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected ># (split by newline), ># * specify /etc/audit/rules.d/privileged.rules' as the output file, where ># missing rules should be inserted >elif [ "$tool" == 'augenrules' ] >then > IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)) > output_audit_file="/etc/audit/rules.d/privileged.rules" >fi > ># Obtain the list of SUID/SGID binaries on the particular system (split by newline) ># into privileged_binaries array >IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) > ># Keep list of SUID/SGID binaries that have been already handled within some previous iteration >declare -a sbinaries_to_skip=() > ># For each found sbinary in privileged_binaries list >for sbinary in "${privileged_binaries[@]}" >do > > # Check if this sbinary wasn't already handled in some of the previous iterations > # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) > if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] > then > # If so, don't process it second time & go to process next sbinary > continue > fi > > # Reset the counter of inspected files when starting to check > # presence of existing audit rule for new sbinary > local count_of_inspected_files=0 > > # Define expected rule form for this binary > expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" > > # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary > if [[ ${#files_to_inspect[@]} -eq 0 ]]; then > echo "$expected_rule" >> "$output_audit_file" > continue > fi > > # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below > sbinary_esc=${sbinary//$'/'/$'\/'} > > # For each audit rules file from the list of files to be inspected > for afile in "${files_to_inspect[@]}" > do > > # Search current audit rules file's content for match. Match criteria: > # * existing rule is for the same SUID/SGID binary we are currently processing (but > # can contain multiple -F path= elements covering multiple SUID/SGID binaries) > # * existing rule contains all arguments from expected rule form (though can contain > # them in arbitrary order) > > base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ > -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ > -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \ > -e '/-k privileged/!d' "$afile") > > # Increase the count of inspected files for this sbinary > count_of_inspected_files=$((count_of_inspected_files + 1)) > > # Require execute access type to be set for existing audit rule > exec_access='x' > > # Search current audit rules file's content for presence of rule pattern for this sbinary > if [[ $base_search ]] > then > > # Current audit rules file already contains rule for this binary => > # Store the exact form of found rule for this binary for further processing > concrete_rule=$base_search > > # Select all other SUID/SGID binaries possibly also present in the found rule > IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")) > IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) > > # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates > sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)) > > # Separate concrete_rule into three sections using hash '#' > # sign as a delimiter around rule's permission section borders > concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")" > > # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter > IFS=$'#' read -r rule_head rule_perm rule_tail <<< "$concrete_rule" > > # Extract already present exact access type [r|w|x|a] from rule's permission section > access_type=${rule_perm//-F perm=/} > > # Verify current permission access type(s) for rule contain 'x' (execute) permission > if ! grep -q "$exec_access" <<< "$access_type" > then > > # If not, append the 'x' (execute) permission to the existing access type bits > access_type="$access_type$exec_access" > # Reconstruct the permissions section for the rule > new_rule_perm="-F perm=$access_type" > # Update existing rule in current audit rules file with the new permission section > sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile" > > fi > > # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: > # > # * in the "auditctl" mode of operation insert particular rule each time > # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), > # > # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already > # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined > # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) > # > elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] > then > > # Current audit rules file's content doesn't contain expected rule for this > # SUID/SGID binary yet => append it > echo "$expected_rule" >> "$output_audit_file" > continue > fi > > done > >done >} ></abbr> >perform_audit_rules_privileged_commands_remediation "auditctl" "1000" >perform_audit_rules_privileged_commands_remediation "augenrules" "1000" ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336719751920">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336719751920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code> >- name: Search for privileged commands > shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat" > check_mode: no > register: find_result > tags: > - audit_rules_privileged_commands > - medium_severity > - restrict_strategy > - low_complexity > - low_disruption > - CCE-27437-3 > - NIST-800-53-AC-17(7) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-2(a) > - NIST-800-53-AU-2(c) > - NIST-800-53-AU-2(d) > - NIST-800-53-AU-2(4) > - NIST-800-53-AU-6(9) > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-IR-5 > - NIST-800-171-3.1.7 > - PCI-DSS-Req-10.2.2 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030360 > ># Inserts/replaces the rule in /etc/audit/rules.d > >- name: Search /etc/audit/rules.d for audit rule entries > find: > paths: "/etc/audit/rules.d" > recurse: no > contains: "^.*path={{ item }} .*$" > patterns: "*.rules" > with_items: > - "{{ find_result.stdout_lines }}" > register: files_result > tags: > - audit_rules_privileged_commands > - medium_severity > - restrict_strategy > - low_complexity > - low_disruption > - CCE-27437-3 > - NIST-800-53-AC-17(7) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-2(a) > - NIST-800-53-AU-2(c) > - NIST-800-53-AU-2(d) > - NIST-800-53-AU-2(4) > - NIST-800-53-AU-6(9) > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-IR-5 > - NIST-800-171-3.1.7 > - PCI-DSS-Req-10.2.2 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030360 > >- name: Overwrites the rule in rules.d > lineinfile: > path: "{{ item.1.path }}" > line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' > create: no > regexp: "^.*path={{ item.0.item }} .*$" > with_subelements: > - "{{ files_result.results }}" > - files > tags: > - audit_rules_privileged_commands > - medium_severity > - restrict_strategy > - low_complexity > - low_disruption > - CCE-27437-3 > - NIST-800-53-AC-17(7) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-2(a) > - NIST-800-53-AU-2(c) > - NIST-800-53-AU-2(d) > - NIST-800-53-AU-2(4) > - NIST-800-53-AU-6(9) > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-IR-5 > - NIST-800-171-3.1.7 > - PCI-DSS-Req-10.2.2 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030360 > >- name: Adds the rule in rules.d > lineinfile: > path: /etc/audit/rules.d/privileged.rules > line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' > create: yes > with_items: > - "{{ files_result.results }}" > when: item.matched == 0 > tags: > - audit_rules_privileged_commands > - medium_severity > - restrict_strategy > - low_complexity > - low_disruption > - CCE-27437-3 > - NIST-800-53-AC-17(7) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-2(a) > - NIST-800-53-AU-2(c) > - NIST-800-53-AU-2(d) > - NIST-800-53-AU-2(4) > - NIST-800-53-AU-6(9) > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-IR-5 > - NIST-800-171-3.1.7 > - PCI-DSS-Req-10.2.2 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030360 > ># Adds/overwrites the rule in /etc/audit/audit.rules > >- name: Inserts/replaces the rule in audit.rules > lineinfile: > path: /etc/audit/audit.rules > line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' > create: yes > regexp: "^.*path={{ item.item }} .*$" > with_items: > - "{{ files_result.results }}" > tags: > - audit_rules_privileged_commands > - medium_severity > - restrict_strategy > - low_complexity > - low_disruption > - CCE-27437-3 > - NIST-800-53-AC-17(7) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-2(a) > - NIST-800-53-AU-2(c) > - NIST-800-53-AU-2(d) > - NIST-800-53-AU-2(4) > - NIST-800-53-AU-6(9) > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-IR-5 > - NIST-800-171-3.1.7 > - PCI-DSS-Req-10.2.2 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030360 > > ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" id="rule-detail-idm46336713426064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-80399-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80399-9">CCE-80399-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86781r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" id="rule-detail-idm46336713538864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-80408-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80408-8">CCE-80408-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030780</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86803r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" id="rule-detail-idm46336713419360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-80402-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80402-1">CCE-80402-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86793r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" id="rule-detail-idm46336713388560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-80400-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - su</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80400-5">CCE-80400-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86783r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" id="rule-detail-idm46336713377424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-80411-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80411-2">CCE-80411-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030810</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86809r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-detail-idm46336713401584"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80401-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80401-3">CCE-80401-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86785r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" id="rule-detail-idm46336713407360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-80403-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80403-9">CCE-80403-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86789r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" id="rule-detail-idm46336713332848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-80410-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - crontab</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80410-4">CCE-80410-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030800</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86807r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" id="rule-detail-idm46336713318016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-80397-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80397-3">CCE-80397-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86777r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" id="rule-detail-idm46336713303184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-80396-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80396-5">CCE-80396-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86775r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" id="rule-detail-idm46336713356768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-80406-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80406-2">CCE-80406-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030760</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86799r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" id="rule-detail-idm46336713362736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-80404-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - chsh</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80404-7">CCE-80404-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86791r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of >privileged commands for all users and root. If the <code>auditd</code> daemon is >configured to use the <code>augenrules</code> program to read audit rules during >daemon startup (the default), add a line of the following form to a file with >suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add a line of the following >form to <code>/etc/audit/audit.rules</code>: ><pre>-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by >authorized users, or by unauthorized external entities that have compromised system accounts, >is a serious and ongoing concern and can have significant adverse impacts on organizations. >Auditing the use of privileged functions is one way to detect such misuse and identify >the risk from insider and advanced persistent threast. ><br><br> >Privileged programs are subject to escalation-of-privilege attacks, >which attempt to subvert their normal role of providing some necessary but >limited capability. As such, motivation exists to monitor these programs for >unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" id="rule-detail-idm46336713258800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-80388-2 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80388-2">CCE-80388-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030530</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86753r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" id="rule-detail-idm46336713282656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80386-6 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - open</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80386-6">CCE-80386-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030510</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86749r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" id="rule-detail-idm46336713286336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80385-8 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - creat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80385-8">CCE-80385-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86747r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" id="rule-detail-idm46336713241328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80390-8 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80390-8">CCE-80390-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030550</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86757r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" id="rule-detail-idm46336713229632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80389-0 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - truncate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80389-0">CCE-80389-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030540</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86755r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" id="rule-detail-idm46336713235472"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80387-4 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - openat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80387-4">CCE-80387-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030520</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86751r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file >accesses for all users and root. If the <code>auditd</code> daemon is configured >to use the <code>augenrules</code> program to read audit rules during daemon >startup (the default), add the following lines to a file with suffix ><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: ><pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file: ><pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> >If the system is 64 bit then also add the following lines: ><pre> >-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access >-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing >these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Note that these rules can be configured in a >number of ways while still achieving the desired effect. Here the system calls >have been placed independent of other system calls. Grouping these system >calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" id="rule-detail-idm46336713110544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80431-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/shadow</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80431-0">CCE-80431-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030873</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87823r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches >will alert the system administrator(s) to any modifications. Any unexpected >users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" id="rule-detail-idm46336713130800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80432-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/gshadow</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80432-8">CCE-80432-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030872</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87819r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches >will alert the system administrator(s) to any modifications. Any unexpected >users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_media_export" id="rule-detail-idm46336713142880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-27447-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Exporting to Media (successful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_media_export</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27447-2">CCE-27447-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030740</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86795r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.13</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect media exportation >events for all users and root. If the <code>auditd</code> daemon is configured to >use the <code>augenrules</code> program to read audit rules during daemon startup >(the default), add the following line to a file with suffix <code>.rules</code> in >the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as >appropriate for your system: ><pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The unauthorized exportation of data to external media could result in an information leak >where classified information, Privacy Act information, and intellectual property could be lost. An audit >trail should be created each time a filesystem is mounted to help identify and guard against information >loss.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" id="rule-detail-idm46336713056000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80430-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/security/opasswd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80430-2">CCE-80430-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030874</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87825r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches >will alert the system administrator(s) to any modifications. Any unexpected >users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-detail-idm46336713038528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions unknownCCE-27461-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects System Administrator Actions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27461-3">CCE-27461-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86787r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">iAU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5.b</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037-GPOS-00015</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000462-GPOS-00206</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect administrator actions >for all users and root. If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the default), >add the following line to a file with suffix <code>.rules</code> in the directory ><code>/etc/audit/rules.d</code>: ><pre>-w /etc/sudoers -p wa -k actions >-w /etc/sudoers.d/ -p wa -k actions</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to ><code>/etc/audit/audit.rules</code> file: ><pre>-w /etc/sudoers -p wa -k actions >-w /etc/sudoers.d/ -p wa -k actions</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The actions taken by system administrators should be audited to keep a record >of what was executed on the system, as well as, for accountability purposes.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" id="rule-detail-idm46336713034784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown mediumCCE-80381-7 </div><div class="panel-heading"><h3 class="panel-title">Shutdown System When Auditing Failures Occur</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80381-7">CCE-80381-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86705r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000139</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000046-GPOS-00022</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000047-GPOS-00023</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following line to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>: ><pre>-f 2</pre> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following line to the >top of the <code>/etc/audit/audit.rules</code> file: ><pre>-f 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>It is critical for the appropriate personnel to be aware if a system >is at risk of failing to process audit logs as required. Without this >notification, the security personnel may be unaware of an impending failure of >the audit capability, and system operation may be adversely affected. ><br><br> >Audit processing failures include software/hardware errors, failures in the >audit capturing mechanisms, and audit storage capacity being reached or >exceeded.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-detail-idm46336713062336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80435-1 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/passwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80435-1">CCE-80435-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030870</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86821r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000239-GPOS-00089</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000240-GPOS-00090</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000241-GPOS-00091</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000303-GPOS-00120</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000476-GPOS-00221</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches >will alert the system administrator(s) to any modifications. Any unexpected >users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" id="rule-detail-idm46336713016640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80433-6 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80433-6">CCE-80433-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030871</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87817r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the ><code>augenrules</code> program to read audit rules during daemon startup (the >default), add the following lines to a file with suffix <code>.rules</code> in the >directory <code>/etc/audit/rules.d</code>, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</pre> ><br><br> >If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> >utility to read audit rules during daemon startup, add the following lines to ><code>/etc/audit/audit.rules</code> file, in order to capture events that modify >account changes: ><br><br> ><pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches >will alert the system administrator(s) to any modifications. Any unexpected >users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-detail-idm46336713011568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled highCCE-27407-6 </div><div class="panel-heading"><h3 class="panel-title">Enable auditd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:33</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27407-6">CCE-27407-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86703r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000131</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000038-GPOS-00016</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000039-GPOS-00017</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00021</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000254-GPOS-00095</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000255-GPOS-00096</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service is an essential userspace component of >the Linux Auditing System, as it is responsible for writing audit records to >disk. > >The <code>auditd</code> service can be enabled with the following command: ><pre>$ sudo systemctl enable auditd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without establishing what type of events occurred, it would be difficult >to establish, correlate, and investigate the events leading up to an outage or attack. >Ensuring the <code>auditd</code> service is active ensures audit records >generated by the kernel are appropriately recorded. ><br><br> >Additionally, a properly configured audit subsystem ensures that actions of >individual system users can be uniquely traced to those users so they >can be held accountable for their actions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. ></message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718336112">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718336112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> >SYSTEMCTL_EXEC='/usr/bin/systemctl' >"$SYSTEMCTL_EXEC" start 'auditd.service' >"$SYSTEMCTL_EXEC" enable 'auditd.service' ></code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718332448">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718332448"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service auditd > service: > name: "{{item}}" > enabled: "yes" > state: "started" > with_items: > - auditd > tags: > - service_auditd_enabled > - high_severity > - enable_strategy > - low_complexity > - low_disruption > - CCE-27407-6 > - NIST-800-53-AU-3 > - NIST-800-53-AC-17(1) > - NIST-800-53-AU-1(b) > - NIST-800-53-AU-10 > - NIST-800-53-AU-12(a) > - NIST-800-53-AU-12(c) > - NIST-800-53-AU-14(1) > - NIST-800-53-IR-5 > - NIST-800-171-3.3.1 > - NIST-800-171-3.3.2 > - NIST-800-171-3.3.6 > - PCI-DSS-Req-10 > - CJIS-5.4.1.1 > - DISA-STIG-RHEL-07-030000 ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idm46336712984736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-80144-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80144-9">CCE-80144-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86683r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.13</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001208</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If user home directories will be stored locally, create a separate partition >for <code>/home</code> at installation time (or migrate it later using LVM). If ><code>/home</code> will be mounted from another system such as an NFS server, then >creating a separate partition is not necessary at installation time, and the >mountpoint can instead be configured later.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/home</code> is mounted on its own partition enables the >setting of more restrictive mount options, and also helps ensure that >users cannot trivially fill partitions used for log or audit data storage.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idm46336712979024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-26404-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26404-4">CCE-26404-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86685r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/var</code> directory is used by daemons and other system >services to store frequently-changing data. Ensure that <code>/var</code> has its own partition >or logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/var</code> is mounted on its own partition enables the >setting of more restrictive mount options. This helps protect >system services such as daemons or other programs which use it. >It is not uncommon for the <code>/var</code> directory to contain >world-writable directories installed by other software packages.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-detail-idm46336712975136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-27173-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27173-4">CCE-27173-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86689r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/tmp</code> directory is a world-writable directory used >for temporary file storage. Ensure it has its own partition or >logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/tmp</code> partition is used as temporary storage by many programs. >Placing <code>/tmp</code> in its own partition enables the setting of more >restrictive mount options, which can help protect programs which use it.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idm46336712971248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-26971-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26971-2">CCE-26971-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86687r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it >has its own partition or logical volume at installation time, or migrate it >later using LVM. Make absolutely certain that it is large enough to store all >audit logs that will be created by the auditing daemon.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Placing <code>/var/log/audit</code> in its own partition >enables better separation between audit files >and other files, and helps ensure that >auditing cannot be halted due to the partition running out >of space.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm46336712962976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-80350-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80350-2">CCE-80350-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86573r2_rule</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using >sudo without having to authenticate. This should be disabled by making sure that the ><code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or >any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without re-authentication, users may access resources or perform tasks for which they >do not have authorization. ><br><br> >When operating systems provide the capability to escalate a functional capability, it >is critical that the user re-authenticate.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm46336712959008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-80351-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80351-0">CCE-80351-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86571r2_rule</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using >sudo without having to authenticate. This should be disabled by making sure that the ><code>NOPASSWD</code> tag does not exist in <code>/etc/sudoers</code> configuration file or >any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without re-authentication, users may access resources or perform tasks for which they >do not have authorization. ><br><br> >When operating systems provide the capability to escalate a functional capability, it >is critical that the user re-authenticate.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_installed_OS_is_certified" id="rule-detail-idm46336712955120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Installed Operating System Is Vendor Supported and Certifiedxccdf_org.ssgproject.content_rule_installed_OS_is_certified highCCE-80349-4 </div><div class="panel-heading"><h3 class="panel-title">The Installed Operating System Is Vendor Supported and Certified</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_installed_OS_is_certified</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80349-4">CCE-80349-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020250</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86621r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The installed operating system must be maintained and certified by a vendor. >Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise >Linux vendor, Red Hat, Inc. is responsible for providing security patches as well >as meeting and maintaining goverment certifications and standards.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An operating system is considered "supported" if the vendor continues to provide >security patches for the product as well as maintain government certification requirements. >With an unsupported release, it will not be possible to resolve security issue discovered in >the system software as well as meet government certifications.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="rule-detail-idm46336712949344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable FIPS Mode in GRUB2xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode highCCE-80359-3 </div><div class="panel-heading"><h3 class="panel-title">Enable FIPS Mode in GRUB2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80359-3">CCE-80359-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86691r3_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002450</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000033-GPOS-00014</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000396-GPOS-00176</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000478-GPOS-00223</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure FIPS mode is enabled, rebuild <code>initramfs</code> by running the following command: ><pre>dracut -f</pre> >After the <code>dracut</code> command has been run, add the argument <code>fips=1</code> to the default >GRUB 2 command line for the Linux operating system in ><code>/etc/default/grub</code>, in the manner below: ><pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"</pre> >Finally, rebuild the <code>grub.cfg</code> file by using the ><pre>grub2-mkconfig -o</pre> command as follows: ><ul><li>On BIOS-based machines, issue the following command as <code>root</code>: ><pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: ><pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to >protect data. The operating system must implement cryptographic modules adhering to the higher >standards approved by the federal government since this provides assurance they have been tested >and validated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Running <pre>dracut -f</pre> will overwrite the existing initramfs file.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > The ability to enable FIPS does not denote FIPS compliancy or certification. >Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community >projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy. >Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. ><br><br> >See <b><a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm</a></b> >for a list of FIPS certified vendors.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/sysconfig/prelink: No such file or directory >which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum >Loaded plugins: product-id, search-disabled-repos, subscription-manager >This system is not registered with an entitlement server. You can use subscription-manager to register. >There are no enabled repos. > Run "yum repolist all" to see the repos you have. > To enable Red Hat Subscription Management repositories: > subscription-manager repos --enable <repo> > To enable custom repositories: > yum-config-manager --enable <repo> ></message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718056416">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718056416"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_disable_prelink">function disable_prelink { > # Disable prelinking and don't even check > # whether it is installed. > if grep -q ^PRELINKING /etc/sysconfig/prelink > then > sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink > else > printf '\n' >> /etc/sysconfig/prelink > printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink > fi > > # Undo previous prelink changes to binaries if prelink is available. > if test -x /usr/sbin/prelink; then > /usr/sbin/prelink -ua > fi >} ></abbr> >disable_prelink ><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. ># ># Example Call(s): ># ># package_install aide ># >function package_install { > ># Load function arguments into local variables >local package="$1" > ># Check sanity of the input >if [ $# -ne "1" ] >then > echo "Usage: package_install 'package_name'" > echo "Aborting." > exit 1 >fi > >if which dnf ; then > if ! rpm -q --quiet "$package"; then > dnf install -y "$package" > fi >elif which yum ; then > if ! rpm -q --quiet "$package"; then > yum install -y "$package" > fi >elif which apt-get ; then > apt-get install -y "$package" >else > echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" > echo "Aborting." > exit 1 >fi > >} ></abbr> >package_install dracut-fips > >dracut -f > ># Correct the form of default kernel command line in grub >if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then > # modify the GRUB command-line if a fips= arg already exists > sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub >else > # no existing fips=arg is present, append it > sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub >fi > ># Get the UUID of the device mounted at /boot. >BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot) > >if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then > # modify the GRUB command-line if a boot= arg already exists > sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub >else > # no existing boot=arg is present, append it > sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub >fi > ># Correct the form of kernel command line for each installed kernel in the bootloader >/sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}" ></code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" id="rule-detail-idm46336712923968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Virus Scanning Software Definitions Are Updatedxccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated mediumCCE-80129-0 </div><div class="panel-heading"><h3 class="panel-title">Virus Scanning Software Definitions Are Updated</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80129-0">CCE-80129-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-032010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86839r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001668</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure virus definition files are no older than 7 days or their last release.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Virus scanning software can be used to detect if a system has been compromised by >computer viruses, as well as to limit their spread to other systems.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" id="rule-detail-idm46336712919088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install McAfee Virus Scanning Softwarexccdf_org.ssgproject.content_rule_install_mcafee_antivirus highCCE-80127-4 </div><div class="panel-heading"><h3 class="panel-title">Install McAfee Virus Scanning Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_mcafee_antivirus</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80127-4">CCE-80127-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-032000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86837r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001668</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Install McAfee VirusScan Enterprise for Linux antivirus software >which is provided for DoD systems and uses signatures to search for the >presence of viruses on the filesystem.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Virus scanning software can be used to detect if a system has been compromised by >computer viruses, as well as to limit their spread to other systems.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > Due to McAfee HIPS being 3rd party software, automated >remediation is not available for this configuration check.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-detail-idm46336712908304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-27209-6 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct File Permissions with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:22</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27209-6">CCE-27209-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86473r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001494</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001496</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000257-GPOS-00098</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000278-GPOS-00108</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The RPM package management system can check file access permissions >of installed software packages, including many that are important >to system security. >Verify that the file permissions of system files >and commands match vendor values. Check the file permissions >with the following command: ><pre>$ sudo rpm -Va | grep '^.M'</pre> >Output indicates files that do not match vendor defaults. >After locating a file with incorrect permissions, >run the following command to determine which package owns it: ><pre>$ rpm -qf <i>FILENAME</i></pre> ><br> >Next, run the following command to reset its permissions to >the correct values: ><pre>$ sudo rpm --quiet --setperms <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Permissions on system binaries and configuration files that are too generous >could allow an unauthorized user to gain privileges that they should not have. >The permissions set by the vendor should be maintained. Any deviations from >this baseline should be investigated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > > <b>Note: Due to a bug in the <code>gdm</code> package, >the RPM verify command may continue to fail even after file permissions have >been correctly set on <code>/var/log/gdm</code>. This is being tracked in Red Hat >Bugzilla #1277603.</b> > </div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-detail-idm46336712904352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct Ownership with RPMxccdf_org.ssgproject.content_rule_rpm_verify_ownership highCCE-80545-7 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct Ownership with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:31</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80545-7">CCE-80545-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-TBD</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001494</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001496</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000257-GPOS-00098</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000278-GPOS-00108</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The RPM package management system can check file ownership >permissions of installed software packages, including many that are >important to system security. After locating a file with incorrect >permissions, which can be found with ><pre>rpm -Va | grep "^.....\(U\|.G\)"</pre> >run the following command to determine which package owns it: ><pre>$ rpm -qf <i>FILENAME</i></pre> >Next, run the following command to reset its permissions to >the correct values: ><pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ownership of binaries and configuration files that is incorrect >could allow an unauthorized user to gain privileges that they should >not have. The ownership set by the vendor should be maintained. Any >deviations from this baseline should be investigated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â > > <b>Note: Due to a bug in the <code>gdm</code> package, >the RPM verify command may continue to fail even after file permissions have >been correctly set on <code>/var/log/gdm</code>. This is being tracked in Red Hat >Bugzilla #1277603.</b> > </div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-detail-idm46336712900464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-27157-7 </div><div class="panel-heading"><h3 class="panel-title">Verify File Hashes with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27157-7">CCE-27157-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86479r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000663</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Without cryptographic integrity protections, system >executables and files can be altered by unauthorized users without >detection. >The RPM package management system can check the hashes of >installed software packages, including many that are important to system >security. >To verify that the cryptographic hash of system files and commands match vendor >values, run the following command to list which files on the system >have hashes that differ from what is expected by the RPM database: ><pre>$ rpm -Va | grep '^..5'</pre> >A "c" in the second column indicates that a file is a configuration file, which >may appropriately be expected to change. If the file was not expected to >change, investigate the cause of the change using audit logs or other means. >The package can then be reinstalled to restore the file. >Run the following command to determine which package owns the file: ><pre>$ rpm -qf <i>FILENAME</i></pre> >The package can be reinstalled from a yum repository using the command: ><pre>$ sudo yum reinstall <i>PACKAGENAME</i></pre> >Alternatively, the package can be reinstalled from trusted media using the command: ><pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The hashes of important files like system executables should match the >information given by the RPM database. Executables with erroneous hashes could >be a sign of nefarious activity on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm46336712896576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-27096-7 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27096-7">CCE-27096-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Install the AIDE package with the command: ><pre>$ sudo yum install aide</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The AIDE package must be installed if it is to be available for integrity checking.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-detail-idm46336712892672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes mediumCCE-80376-7 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Extended Attributes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80376-7">CCE-80376-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86695r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. >If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> >to the appropriate ruleset. >For example, add <code>xattrs</code> to the following line in <code>/etc/aide.conf</code>: ><pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> >AIDE rules can be configured in multiple ways; this is merely one example that is already >configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Extended attributes in file systems are used to contain arbitrary data and file metadata >with security implications.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-detail-idm46336712887072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls mediumCCE-80375-9 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Access Control Lists (ACLs)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_acls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80375-9">CCE-80375-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86693r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. >If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> >to the appropriate ruleset. >For example, add <code>acl</code> to the following line in <code>/etc/aide.conf</code>: ><pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> >AIDE rules can be configured in multiple ways; this is merely one example that is already >configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ACLs can provide permissions beyond those permitted through the file mode and must be >verified by the file integrity tools.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" id="rule-detail-idm46336712874832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Use FIPS 140-2 for Validating Hashesxccdf_org.ssgproject.content_rule_aide_use_fips_hashes mediumCCE-80377-5 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Use FIPS 140-2 for Validating Hashes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_use_fips_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80377-5">CCE-80377-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86697r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. >If using a custom ruleset or the <code>sha512</code> option is missing, add <code>sha512</code> >to the appropriate ruleset. >For example, add <code>sha512</code> to the following line in <code>/etc/aide.conf</code>: ><pre>NORMAL = FIPSR+sha512</pre> >AIDE rules can be configured in multiple ways; this is merely one example that is already >configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>File integrity tools use cryptographic hashes for verifying file contents and directories >have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-detail-idm46336712876864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-80374-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Notification of Post-AIDE Scan Details</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_scan_notification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80374-2">CCE-80374-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86599r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001744</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000363-GPOS-00150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>AIDE should notify appropriate personnel of the details of a scan after the scan has been run. >If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the >following line to the existing AIDE line: ><pre> | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> >Otherwise, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> >AIDE can be executed periodically through other means; this is merely one example.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unauthorized changes to the baseline configuration could make the system vulnerable >to various attacks or allow unauthorized access to the operating system. Changes to >operating system configurations can have unintended side effects, some of which may >be relevant to security. ><br><br> >Detecting such changes and providing an automated response can help avoid unintended, >negative consequences that could ultimately affect the security state of the operating >system. The operating system's Information Management Officer (IMO)/Information System >Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or >monitoring system trap when there is an unauthorized modification of a configuration item.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-detail-idm46336712858480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-26952-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Periodic Execution of AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26952-2">CCE-26952-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86597r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001744</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000363-GPOS-00150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. >To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * * root /usr/sbin/aide --check</pre> >To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: ><pre>05 4 * * 0 root /usr/sbin/aide --check</pre> >AIDE can be executed periodically through other means; this is merely one example. >The usage of cron's special time codes, such as <code>@daily</code> and ><code>@weekly</code> is acceptable.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default, AIDE does not install itself for periodic execution. Periodically >running AIDE is necessary to reveal unexpected changes in installed files. ><br><br> >Unauthorized changes to the baseline configuration could make the system vulnerable >to various attacks or allow unauthorized access to the operating system. Changes to >operating system configurations can have unintended side effects, some of which may >be relevant to security. ><br><br> >Detecting such changes and providing an automated response can help avoid unintended, >negative consequences that could ultimately affect the security state of the operating >system. The operating system's Information Management Officer (IMO)/Information System >Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or >monitoring system trap when there is an unauthorized modification of a configuration item.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) >/bin/yum ></message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm46336712846512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-26895-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26895-3">CCE-26895-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020260</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86623r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> >If the system is joined to the Red Hat Network, a Red Hat Satellite Server, >or a yum server, run the following command to install updates: ><pre>$ sudo yum update</pre> >If the system is not configured to use one of these sources, updates (in the form of RPM packages) >can be manually downloaded from the Red Hat Network and installed using <code>rpm</code>. > ><br><br> >NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy >dictates.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Installing software updates is a fundamental mitigation against >the exploitation of publicly-known vulnerabilities. If the most >recent security patches and updates are not installed, unauthorized >users may take advantage of weaknesses in the unpatched software. The >lack of prompt attention to patching could result in a system compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" id="rule-detail-idm46336712839984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Repository Metadataxccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata highCCE-80348-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Repository Metadata</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80348-6">CCE-80348-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020070</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86605r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Verify the operating system prevents the installation of patches, service packs, device >drivers, or operating system components of local packages without verification of the >repository metadata. ><br><br> >Check that <code>yum</code> verifies the repository metadata prior to install with the >following command. This should be configured by setting <code>repo_gpgcheck</code> to <code>1</code> >in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects to the overall security >of the operating system. This requirement ensures the software has not been tampered and >has been provided by a trusted vendor. ><br><br> >Accordingly, patches, service packs, device drivers, or operating system components must >be signed with a certificate recognized and approved by the organization. ><br><br> >Verifying the authenticity of the software prior to installation validates the integrity >of the patch or upgrade received from a vendor. This ensures the software has not been >tampered with and that it has been provided by a trusted vendor. Self-signed certificates >are disallowed by this requirement. The operating system should not have to verify the software >again. ><br><br> >NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for >this purpose; however, the certificate used to verify the software must be from an >approved Certificate Authority.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-detail-idm46336712836016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure YUM Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-80346-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure YUM Removes Previous Package Versions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_clean_components_post_updating</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80346-0">CCE-80346-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86611r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002617</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(6)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000437-GPOS-00194</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>Yum</code> should be configured to remove previous software components after >previous versions have been installed. To configure <code>yum</code> to remove the >previous software components after updating, set the <code>clean_requirements_on_remove</code> >to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Previous versions of software components that are not removed from the information >system after updates have been installed may be exploited by some adversaries.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm46336712817408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main Yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-26989-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main Yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26989-4">CCE-26989-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020050</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86601r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gpgcheck</code> option controls whether >RPM packages' signatures are always checked prior to installation. >To configure yum to check package signatures before installing >them, ensure the following line appears in <code>/etc/yum.conf</code> in >the <code>[main]</code> section: ><pre>gpgcheck=1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects on the overall security >of the operating system. This requirement ensures the software has not been tampered with >and that it has been provided by a trusted vendor. ><br> >Accordingly, patches, service packs, device drivers, or operating system components must >be signed with a certificate recognized and approved by the organization. ><br> >Verifying the authenticity of the software prior to installation >validates the integrity of the patch or upgrade received from >a vendor. This ensures the software has not been tampered with and >that it has been provided by a trusted vendor. Self-signed >certificates are disallowed by this requirement. Certificates >used to verify the software must be from an approved Certificate >Authority (CA).</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm46336712827936"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80347-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80347-8">CCE-80347-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020060</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86603r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>Yum</code> should be configured to verify the signature(s) of local packages >prior to installation. To configure <code>yum</code> to verify signatures of local >packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects to the overall security >of the operating system. This requirement ensures the software has not been tampered and >has been provided by a trusted vendor. ><br><br> >Accordingly, patches, service packs, device drivers, or operating system components must >be signed with a certificate recognized and approved by the organization.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â > <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" id="rule-detail-idm46336712816080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-80544-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Session Idle Settings</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80544-0">CCE-80544-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010082</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87809r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-00029-GPOS-0010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 session idle settings >by adding <code>/org/gnome/desktop/session/idle-delay</code> >to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/session/idle-delay</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate >physical vicinity of the information system but does not logout because of the temporary nature of the absence. >Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, >GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the >session lock. As such, users should not be allowed to change session settings.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" id="rule-detail-idm46336712812288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-80370-0 </div><div class="panel-heading"><h3 class="panel-title">Set GNOME3 Screensaver Lock Delay After Activation Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80370-0">CCE-80370-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86525r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="">OS-SRG-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate the locking delay of the screensaver in the GNOME3 desktop when >the screensaver is activated, add or set <code>lock-delay</code> to <code>uint32 <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_screensaver_lock_delay">5</abbr></code> in ><code>/etc/dconf/db/local.d/00-security-settings</code>. For example: ><pre>[org/gnome/desktop/screensaver] >lock-delay=uint32 <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_screensaver_lock_delay">5</abbr> ></pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/screensaver/lock-delay</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity >of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" id="rule-detail-idm46336712801968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-80371-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Settings</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80371-8">CCE-80371-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010081</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87807r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-00029-GPOS-0010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings >by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> >to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/screensaver/lock-delay</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate >physical vicinity of the information system but does not logout because of the temporary nature of the absence. >Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, >GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the >session lock. As such, users should not be allowed to change session settings.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-detail-idm46336712796224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled mediumCCE-80111-8 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Idle Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80111-8">CCE-80111-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86523r3_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate the screensaver in the GNOME3 desktop after a period of inactivity, >add or set <code>idle-activation-enabled</code> to <code>true</code> in ><code>/etc/dconf/db/local.d/00-security-settings</code>. For example: ><pre>[org/gnome/desktop/screensaver] >idle_activation_enabled=true</pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate >physical vicinity of the information system but does not logout because of the temporary nature of the absence. >Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, >GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the >session lock. ><br><br> >Enabling idle activation of the screensaver ensures the screensaver will >be activated after the idle delay. Applications requiring continuous, >real-time screen display (such as network management products) require the >login session does not have administrator rights and the display station is located in a >controlled-access area.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" id="rule-detail-idm46336712790592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-80110-0 </div><div class="panel-heading"><h3 class="panel-title">Set GNOME3 Screensaver Inactivity Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80110-0">CCE-80110-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> >setting must be set under an appropriate configuration file(s) in the <code>/etc/dconf/db/local.d</code> directory >and locked in <code>/etc/dconf/db/local.d/locks</code> directory to prevent user modification. ><br><br> >For example, to configure the system for a 15 minute delay, add the following to ><code>/etc/dconf/db/local.d/00-security-settings</code>: ><pre>[org/gnome/desktop/session] >idle-delay='uint32 900'</pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/session/idle-delay</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from >the immediate physical vicinity of the information system but does not logout because of the >temporary nature of the absence. Rather than relying on the user to manually lock their operating >system session prior to vacating the vicinity, GNOME3 can be configured to identify when >a user's session has idled and take action to initiate a session lock.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" id="rule-detail-idm46336712785776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked mediumCCE-80563-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80563-0">CCE-80563-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010062</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93701r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings >by adding <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> >to <code>/etc/dconf/db/local.d/00-security-settings</code>. >For example: ><pre>/org/gnome/desktop/screensaver/lock-enabled</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity >of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-detail-idm46336712776256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-80112-6 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Lock After Idle Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80112-6">CCE-80112-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010060</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86515r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000028-GPOS-00009</a>, <a href="">OS-SRG-000030-GPOS-00011</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate locking of the screensaver in the GNOME3 desktop when it is activated, >add or set <code>lock-enabled</code> to <code>true</code> in ><code>/etc/dconf/db/local.d/00-security-settings</code>. For example: ><pre>[org/gnome/desktop/screensaver] >lock-enabled=true ></pre> >Once the settings have been added, add a lock to ><code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/desktop/screensaver/lock-enabled</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity >of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" id="rule-detail-idm46336712771440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked mediumCCE-80564-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80564-8">CCE-80564-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010101</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93703r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings >by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> >to <code>/etc/dconf/db/local.d/00-security-settings</code>. >For example: ><pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity >of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-detail-idm46336712743024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the GNOME3 Login Smartcard Authenticationxccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth mediumCCE-80108-4 </div><div class="panel-heading"><h3 class="panel-title">Enable the GNOME3 Login Smartcard Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80108-4">CCE-80108-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010061</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92515r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, smart card authentication >can be enabled on the login screen by setting <code>enable-smartcard-authentication</code> >to <code>true</code>. ><br><br> >To enable, add or edit <code>enable-smartcard-authentication</code> to ><code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: ><pre>[org/gnome/login-screen] >enable-smartcard-authentication=true</pre> >Once the setting has been added, add a lock to ><code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. >For example: ><pre>/org/gnome/login-screen/enable-smartcard-authentication</pre> >After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Smart card login provides two-factor authentication stronger than >that provided by a username and password combination. Smart cards leverage PKI >(public key infrastructure) in order to provide and verify credentials.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-detail-idm46336712734704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login highCCE-80104-3 </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Automatic Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80104-3">CCE-80104-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86577r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to automatically login without >user interaction or credentials. User should always be required to authenticate themselves >to the system that they are authorized to use. To disable user ability to automatically >login to the system, set the <code>AutomaticLoginEnable</code> to <code>false</code> in the ><code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example: ><pre>[daemon] >AutomaticLoginEnable=false</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Failure to restrict system access to authenticated users negatively impacts operating >system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-detail-idm46336712723840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GDM Guest Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login highCCE-80105-0 </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Guest Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â > <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80105-0">CCE-80105-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â > <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86579r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to login without credentials >which can be useful for public kiosk scenarios. Allowing users to login without credentials >or "guest" account access has inherent security risks and should be disabled. To do disable >timed logins or guest account access, set the <code>TimedLoginEnable</code> to <code>false</code> in >the <code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example: ><pre>[daemon] >TimedLoginEnable=false</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Failure to restrict system access to authenticated users negatively impacts operating >system security.</p></div></td></tr></tbody></table></div></div><a href="#result-details"><button type="button" class="btn btn-secondary">Scroll back to the first rule</button></a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered >trademarks or trademarks of Red Hat, Inc. in the United States and other >countries. All other names are registered trademarks or trademarks of their >respective companies. ></div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit"> > Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.2.17</p></div></footer></body></html>
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="utf-8"></meta><meta http-equiv="X-UA-Compatible" content="IE=edge"></meta><meta name="viewport" content="width=device-width, initial-scale=1"></meta><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-disa | OpenSCAP Evaluation Report</title><style> /*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ /*! * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf *//*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}table.treetable span.indenter{display:inline-block;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px;margin:0;padding:0;}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px;}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=);}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC);}table.treetable tr.branch{background-color:#f9f9f9;}table.treetable tr.selected{background-color:#3875d7;color:#fff;}table.treetable tr span.indenter a{outline:none;}tr.rule-overview-needs-attention td a{color:#d9534f;}td.rule-result div,span.rule-result{text-align:center;font-weight:700;color:#fff;background:gray;}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e;}.js-only{display:none;}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f;}#footer{text-align:center;margin-top:50px;}pre{overflow:auto!important;word-wrap:normal!important;white-space:pre-wrap;}div.check-system-details,div.remediation,div.description{display:inline-block;width:0;min-width:100%;overflow-x:auto;}div.profile-description{white-space:pre-wrap;}div.modal-body{margin:50px;padding:0;}div.horizontal-scroll{overflow-x:auto;}div.top-spacer-10{margin-top:10px;}td.rule-result-fail div,span.rule-result-fail,td.rule-result-error div,span.rule-result-error{background:#d9534f;}td.rule-result-pass div,span.rule-result-pass,td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c;}.rule-result-filtered,.rule-result-filtered > *,.search-no-match,.search-no-match > *{display:none!important;}@media print{.container{width:100%;}.rule-result abbr[title]:after,.identifiers abbr[title]:after,.identifiers a[href]:after{content:"";}}</style><script> /*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; }return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{ marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({ padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n}); (function($){var Node,Tree,methods;Node=(function(){function Node(row,tree,settings){var parentId;this.row=row;this.tree=tree;this.settings=settings;this.id=this.row.data(this.settings.nodeIdAttr);parentId=this.row.data(this.settings.parentIdAttr);if(parentId!=null&&parentId!=="")this.parentId=parentId;this.treeCell=$(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=$(this.settings.expanderTemplate);this.indenter=$(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter);}Node.prototype.addChild=function(child){return this.children.push(child);};Node.prototype.ancestors=function(){var ancestors,node;node=this;ancestors=[];while(node=node.parentNode())ancestors.push(node);return ancestors;};Node.prototype.collapse=function(){if(this.collapsed())return this;this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null)this.settings.onNodeCollapse.apply(this);return this;};Node.prototype.collapsed=function(){return this.row.hasClass("collapsed");};Node.prototype.expand=function(){if(this.expanded())return this;this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null)this.settings.onNodeExpand.apply(this);if($(this.row).is(":visible"))this._showChildren();this.expander.attr("title",this.settings.stringCollapse);return this;};Node.prototype.expanded=function(){return this.row.hasClass("expanded");};Node.prototype.hide=function(){this._hideChildren();this.row.hide();return this;};Node.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true)return true;else return false;};Node.prototype.updateBranchLeafClass=function(){this.row.removeClass('branch');this.row.removeClass('leaf');this.row.addClass(this.isBranchNode()?'branch':'leaf');};Node.prototype.level=function(){return this.ancestors().length;};Node.prototype.parentNode=function(){if(this.parentId!=null)return this.tree[this.parentId];else return null;};Node.prototype.removeChild=function(child){var i=$.inArray(child,this.children);return this.children.splice(i,1);};Node.prototype.render=function(){var handler,settings=this.settings,target;if(settings.expandable===true&&this.isBranchNode()){handler=function(e){$(this).parents("table").treetable("node",$(this).parents("tr").data(settings.nodeIdAttr)).toggle();return e.preventDefault();};this.indenter.html(this.expander);target=settings.clickableNodeNames===true?this.treeCell:this.expander;target.off("click.treetable").on("click.treetable",handler);target.off("keydown.treetable").on("keydown.treetable",function(e){if(e.keyCode==13)handler.apply(this,[e]);});}this.indenter[0].style.paddingLeft=""+(this.level()*settings.indent)+"px";return this;};Node.prototype.reveal=function(){if(this.parentId!=null)this.parentNode().reveal();return this.expand();};Node.prototype.setParent=function(node){if(this.parentId!=null)this.tree[this.parentId].removeChild(this);this.parentId=node.id;this.row.data(this.settings.parentIdAttr,node.id);return node.addChild(this);};Node.prototype.show=function(){if(!this.initialized)this._initialize();this.row.show();if(this.expanded())this._showChildren();return this;};Node.prototype.toggle=function(){if(this.expanded())this.collapse();else this.expand();return this;};Node.prototype._hideChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.hide());}return _results;};Node.prototype._initialize=function(){var settings=this.settings;this.render();if(settings.expandable===true&&settings.initialState==="collapsed")this.collapse();else this.expand();if(settings.onNodeInitialized!=null)settings.onNodeInitialized.apply(this);return this.initialized=true;};Node.prototype._showChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.show());}return _results;};return Node;})();Tree=(function(){function Tree(table,settings){this.table=table;this.settings=settings;this.tree={};this.nodes=[];this.roots=[];}Tree.prototype.collapseAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.collapse());}return _results;};Tree.prototype.expandAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.expand());}return _results;};Tree.prototype.findLastNode=function(node){if(node.children.length>0)return this.findLastNode(node.children[node.children.length-1]);else return node;};Tree.prototype.loadRows=function(rows){var node,row,i;if(rows!=null)for(i=0;i<rows.length;i++){row=$(rows[i]);if(row.data(this.settings.nodeIdAttr)!=null){node=new Node(row,this.tree,this.settings);this.nodes.push(node);this.tree[node.id]=node;if(node.parentId!=null&&this.tree[node.parentId])this.tree[node.parentId].addChild(node);else this.roots.push(node);}}for(i=0;i<this.nodes.length;i++)node=this.nodes[i].updateBranchLeafClass();return this;};Tree.prototype.move=function(node,destination){var nodeParent=node.parentNode();if(node!==destination&&destination.id!==node.parentId&&$.inArray(node,destination.ancestors())===-1){node.setParent(destination);this._moveRows(node,destination);if(node.parentNode().children.length===1)node.parentNode().render();}if(nodeParent)nodeParent.updateBranchLeafClass();if(node.parentNode())node.parentNode().updateBranchLeafClass();node.updateBranchLeafClass();return this;};Tree.prototype.removeNode=function(node){this.unloadBranch(node);node.row.remove();if(node.parentId!=null)node.parentNode().removeChild(node);delete this.tree[node.id];this.nodes.splice($.inArray(node,this.nodes),1);return this;};Tree.prototype.render=function(){var root,_i,_len,_ref;_ref=this.roots;for(_i=0,_len=_ref.length;_i<_len;_i++){root=_ref[_i];root.show();}return this;};Tree.prototype.sortBranch=function(node,sortFun){node.children.sort(sortFun);this._sortChildRows(node);return this;};Tree.prototype.unloadBranch=function(node){var children=node.children.slice(0),i;for(i=0;i<children.length;i++)this.removeNode(children[i]);node.children=[];node.updateBranchLeafClass();return this;};Tree.prototype._moveRows=function(node,destination){var children=node.children,i;node.row.insertAfter(destination.row);node.render();for(i=children.length-1;i>=0;i--)this._moveRows(children[i],node);};Tree.prototype._sortChildRows=function(parentNode){return this._moveRows(parentNode,parentNode);};return Tree;})();methods={init:function(options,force){var settings;settings=$.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},options);return this.each(function(){var el=$(this),tree;if(force||el.data("treetable")===undefined){tree=new Tree(this,settings);tree.loadRows(this.rows).render();el.addClass("treetable").data("treetable",tree);if(settings.onInitialized!=null)settings.onInitialized.apply(tree);}return el;});},destroy:function(){return this.each(function(){return $(this).removeData("treetable").removeClass("treetable");});},collapseAll:function(){this.data("treetable").collapseAll();return this;},collapseNode:function(id){var node=this.data("treetable").tree[id];if(node)node.collapse();else throw new Error("Unknown node '"+id+"'");return this;},expandAll:function(){this.data("treetable").expandAll();return this;},expandNode:function(id){var node=this.data("treetable").tree[id];if(node){if(!node.initialized)node._initialize();node.expand();}else throw new Error("Unknown node '"+id+"'");return this;},loadBranch:function(node,rows){var settings=this.data("treetable").settings,tree=this.data("treetable").tree;rows=$(rows);if(node==null)this.append(rows);else{var lastNode=this.data("treetable").findLastNode(node);rows.insertAfter(lastNode.row);}this.data("treetable").loadRows(rows);rows.filter("tr").each(function(){tree[$(this).data(settings.nodeIdAttr)].show();});if(node!=null)node.render().expand();return this;},move:function(nodeId,destinationId){var destination,node;node=this.data("treetable").tree[nodeId];destination=this.data("treetable").tree[destinationId];this.data("treetable").move(node,destination);return this;},node:function(id){return this.data("treetable").tree[id];},removeNode:function(id){var node=this.data("treetable").tree[id];if(node)this.data("treetable").removeNode(node);else throw new Error("Unknown node '"+id+"'");return this;},reveal:function(id){var node=this.data("treetable").tree[id];if(node)node.reveal();else throw new Error("Unknown node '"+id+"'");return this;},sortBranch:function(node,columnOrFunction){var settings=this.data("treetable").settings,prepValue,sortFun;columnOrFunction=columnOrFunction||settings.column;sortFun=columnOrFunction;if($.isNumeric(columnOrFunction))sortFun=function(a,b){var extractValue,valA,valB;extractValue=function(node){var val=node.row.find("td:eq("+columnOrFunction+")").text();return $.trim(val).toUpperCase();};valA=extractValue(a);valB=extractValue(b);if(valA<valB)return -1;if(valA>valB)return 1;return 0;};this.data("treetable").sortBranch(node,sortFun);return this;},unloadBranch:function(node){this.data("treetable").unloadBranch(node);return this;}};$.fn.treetable=function(method){if(methods[method])return methods[method].apply(this,Array.prototype.slice.call(arguments,1));else if(typeof method==='object'||!method)return methods.init.apply(this,arguments);else return $.error("Method "+method+" does not exist on jQuery.treetable");};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=Node;this.TreeTable.Tree=Tree;})(jQuery);if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(t){"use strict";var e=t.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||e[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4");}(jQuery),+function(t){"use strict";function e(e){return this.each(function(){var i=t(this),o=i.data("bs.alert");o||i.data("bs.alert",o=new n(this)),"string"==typeof e&&o[e].call(i);});}var i='[data-dismiss="alert"]',n=function(e){t(e).on("click",i,this.close);};n.VERSION="3.3.7",n.TRANSITION_DURATION=150,n.prototype.close=function(e){function i(){a.detach().trigger("closed.bs.alert").remove();}var o=t(this),s=o.attr("data-target");s||(s=o.attr("href"),s=s&&s.replace(/.*(?=#[^\s]*$)/,""));var a=t("#"===s?[]:s);e&&e.preventDefault(),a.length||(a=o.closest(".alert")),a.trigger(e=t.Event("close.bs.alert")),e.isDefaultPrevented()||(a.removeClass("in"),t.support.transition&&a.hasClass("fade")?a.one("bsTransitionEnd",i).emulateTransitionEnd(n.TRANSITION_DURATION):i());};var o=t.fn.alert;t.fn.alert=e,t.fn.alert.Constructor=n,t.fn.alert.noConflict=function(){return t.fn.alert=o,this;},t(document).on("click.bs.alert.data-api",i,n.prototype.close);}(jQuery),+function(t){"use strict";function e(e){var i=e.attr("data-target");i||(i=e.attr("href"),i=i&&/#[A-Za-z]/.test(i)&&i.replace(/.*(?=#[^\s]*$)/,""));var n=i&&t(i);return n&&n.length?n:e.parent();}function i(i){i&&3===i.which||(t(o).remove(),t(s).each(function(){var n=t(this),o=e(n),s={relatedTarget:this};o.hasClass("open")&&(i&&"click"==i.type&&/input|textarea/i.test(i.target.tagName)&&t.contains(o[0],i.target)||(o.trigger(i=t.Event("hide.bs.dropdown",s)),i.isDefaultPrevented()||(n.attr("aria-expanded","false"),o.removeClass("open").trigger(t.Event("hidden.bs.dropdown",s)))));}));}function n(e){return this.each(function(){var i=t(this),n=i.data("bs.dropdown");n||i.data("bs.dropdown",n=new a(this)),"string"==typeof e&&n[e].call(i);});}var o=".dropdown-backdrop",s='[data-toggle="dropdown"]',a=function(e){t(e).on("click.bs.dropdown",this.toggle);};a.VERSION="3.3.7",a.prototype.toggle=function(n){var o=t(this);if(!o.is(".disabled, :disabled")){var s=e(o),a=s.hasClass("open");if(i(),!a){"ontouchstart" in document.documentElement&&!s.closest(".navbar-nav").length&&t(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(t(this)).on("click",i);var r={relatedTarget:this};if(s.trigger(n=t.Event("show.bs.dropdown",r)),n.isDefaultPrevented())return;o.trigger("focus").attr("aria-expanded","true"),s.toggleClass("open").trigger(t.Event("shown.bs.dropdown",r));}return !1;}},a.prototype.keydown=function(i){if(/(38|40|27|32)/.test(i.which)&&!/input|textarea/i.test(i.target.tagName)){var n=t(this);if(i.preventDefault(),i.stopPropagation(),!n.is(".disabled, :disabled")){var o=e(n),a=o.hasClass("open");if(!a&&27!=i.which||a&&27==i.which)return 27==i.which&&o.find(s).trigger("focus"),n.trigger("click");var r=" li:not(.disabled):visible a",d=o.find(".dropdown-menu"+r);if(d.length){var l=d.index(i.target);38==i.which&&l>0&&l--,40==i.which&&l<d.length-1&&l++,~l||(l=0),d.eq(l).trigger("focus");}}}};var r=t.fn.dropdown;t.fn.dropdown=n,t.fn.dropdown.Constructor=a,t.fn.dropdown.noConflict=function(){return t.fn.dropdown=r,this;},t(document).on("click.bs.dropdown.data-api",i).on("click.bs.dropdown.data-api",".dropdown form",function(t){t.stopPropagation();}).on("click.bs.dropdown.data-api",s,a.prototype.toggle).on("keydown.bs.dropdown.data-api",s,a.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",a.prototype.keydown);}(jQuery),+function(t){"use strict";function e(e,n){return this.each(function(){var o=t(this),s=o.data("bs.modal"),a=t.extend({},i.DEFAULTS,o.data(),"object"==typeof e&&e);s||o.data("bs.modal",s=new i(this,a)),"string"==typeof e?s[e](n):a.show&&s.show(n);});}var i=function(e,i){this.options=i,this.$body=t(document.body),this.$element=t(e),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,t.proxy(function(){this.$element.trigger("loaded.bs.modal");},this));};i.VERSION="3.3.7",i.TRANSITION_DURATION=300,i.BACKDROP_TRANSITION_DURATION=150,i.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},i.prototype.toggle=function(t){return this.isShown?this.hide():this.show(t);},i.prototype.show=function(e){var n=this,o=t.Event("show.bs.modal",{relatedTarget:e});this.$element.trigger(o),this.isShown||o.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',t.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){n.$element.one("mouseup.dismiss.bs.modal",function(e){t(e.target).is(n.$element)&&(n.ignoreBackdropClick=!0);});}),this.backdrop(function(){var o=t.support.transition&&n.$element.hasClass("fade");n.$element.parent().length||n.$element.appendTo(n.$body),n.$element.show().scrollTop(0),n.adjustDialog(),o&&n.$element[0].offsetWidth,n.$element.addClass("in"),n.enforceFocus();var s=t.Event("shown.bs.modal",{relatedTarget:e});o?n.$dialog.one("bsTransitionEnd",function(){n.$element.trigger("focus").trigger(s);}).emulateTransitionEnd(i.TRANSITION_DURATION):n.$element.trigger("focus").trigger(s);}));},i.prototype.hide=function(e){e&&e.preventDefault(),e=t.Event("hide.bs.modal"),this.$element.trigger(e),this.isShown&&!e.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),t(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),t.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",t.proxy(this.hideModal,this)).emulateTransitionEnd(i.TRANSITION_DURATION):this.hideModal());},i.prototype.enforceFocus=function(){t(document).off("focusin.bs.modal").on("focusin.bs.modal",t.proxy(function(t){document===t.target||this.$element[0]===t.target||this.$element.has(t.target).length||this.$element.trigger("focus");},this));},i.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",t.proxy(function(t){27==t.which&&this.hide();},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal");},i.prototype.resize=function(){this.isShown?t(window).on("resize.bs.modal",t.proxy(this.handleUpdate,this)):t(window).off("resize.bs.modal");},i.prototype.hideModal=function(){var t=this;this.$element.hide(),this.backdrop(function(){t.$body.removeClass("modal-open"),t.resetAdjustments(),t.resetScrollbar(),t.$element.trigger("hidden.bs.modal");});},i.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null;},i.prototype.backdrop=function(e){var n=this,o=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var s=t.support.transition&&o;if(this.$backdrop=t(document.createElement("div")).addClass("modal-backdrop "+o).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",t.proxy(function(t){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (t.target===t.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()));},this)),s&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!e)return;s?this.$backdrop.one("bsTransitionEnd",e).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):e();}else if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var a=function(){n.removeBackdrop(),e&&e();};t.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",a).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):a();}else e&&e();},i.prototype.handleUpdate=function(){this.adjustDialog();},i.prototype.adjustDialog=function(){var t=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&t?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!t?this.scrollbarWidth:""});},i.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""});},i.prototype.checkScrollbar=function(){var t=window.innerWidth;if(!t){var e=document.documentElement.getBoundingClientRect();t=e.right-Math.abs(e.left);}this.bodyIsOverflowing=document.body.clientWidth<t,this.scrollbarWidth=this.measureScrollbar();},i.prototype.setScrollbar=function(){var t=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",t+this.scrollbarWidth);},i.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad);},i.prototype.measureScrollbar=function(){var t=document.createElement("div");t.className="modal-scrollbar-measure",this.$body.append(t);var e=t.offsetWidth-t.clientWidth;return this.$body[0].removeChild(t),e;};var n=t.fn.modal;t.fn.modal=e,t.fn.modal.Constructor=i,t.fn.modal.noConflict=function(){return t.fn.modal=n,this;},t(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(i){var n=t(this),o=n.attr("href"),s=t(n.attr("data-target")||o&&o.replace(/.*(?=#[^\s]+$)/,"")),a=s.data("bs.modal")?"toggle":t.extend({remote:!/#/.test(o)&&o},s.data(),n.data());n.is("a")&&i.preventDefault(),s.one("show.bs.modal",function(t){t.isDefaultPrevented()||s.one("hidden.bs.modal",function(){n.is(":visible")&&n.trigger("focus");});}),e.call(s,a,this);});}(jQuery),+function(t){"use strict";function e(e){var i,n=e.attr("data-target")||(i=e.attr("href"))&&i.replace(/.*(?=#[^\s]+$)/,"");return t(n);}function i(e){return this.each(function(){var i=t(this),o=i.data("bs.collapse"),s=t.extend({},n.DEFAULTS,i.data(),"object"==typeof e&&e);!o&&s.toggle&&/show|hide/.test(e)&&(s.toggle=!1),o||i.data("bs.collapse",o=new n(this,s)),"string"==typeof e&&o[e]();});}var n=function(e,i){this.$element=t(e),this.options=t.extend({},n.DEFAULTS,i),this.$trigger=t('[data-toggle="collapse"][href="#'+e.id+'"],[data-toggle="collapse"][data-target="#'+e.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle();};n.VERSION="3.3.7",n.TRANSITION_DURATION=350,n.DEFAULTS={toggle:!0},n.prototype.dimension=function(){var t=this.$element.hasClass("width");return t?"width":"height";},n.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var e,o=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(o&&o.length&&(e=o.data("bs.collapse"),e&&e.transitioning))){var s=t.Event("show.bs.collapse");if(this.$element.trigger(s),!s.isDefaultPrevented()){o&&o.length&&(i.call(o,"hide"),e||o.data("bs.collapse",null));var a=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[a](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var r=function(){this.$element.removeClass("collapsing").addClass("collapse in")[a](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse");};if(!t.support.transition)return r.call(this);var d=t.camelCase(["scroll",a].join("-"));this.$element.one("bsTransitionEnd",t.proxy(r,this)).emulateTransitionEnd(n.TRANSITION_DURATION)[a](this.$element[0][d]);}}}},n.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var e=t.Event("hide.bs.collapse");if(this.$element.trigger(e),!e.isDefaultPrevented()){var i=this.dimension();this.$element[i](this.$element[i]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var o=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse");};return t.support.transition?void this.$element[i](0).one("bsTransitionEnd",t.proxy(o,this)).emulateTransitionEnd(n.TRANSITION_DURATION):o.call(this);}}},n.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]();},n.prototype.getParent=function(){return t(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(t.proxy(function(i,n){var o=t(n);this.addAriaAndCollapsedClass(e(o),o);},this)).end();},n.prototype.addAriaAndCollapsedClass=function(t,e){var i=t.hasClass("in");t.attr("aria-expanded",i),e.toggleClass("collapsed",!i).attr("aria-expanded",i);};var o=t.fn.collapse;t.fn.collapse=i,t.fn.collapse.Constructor=n,t.fn.collapse.noConflict=function(){return t.fn.collapse=o,this;},t(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(n){var o=t(this);o.attr("data-target")||n.preventDefault();var s=e(o),a=s.data("bs.collapse"),r=a?"toggle":o.data();i.call(s,r);});}(jQuery),+function(t){"use strict";function e(){var t=document.createElement("bootstrap"),e={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var i in e)if(void 0!==t.style[i])return{end:e[i]};return !1;}t.fn.emulateTransitionEnd=function(e){var i=!1,n=this;t(this).one("bsTransitionEnd",function(){i=!0;});var o=function(){i||t(n).trigger(t.support.transition.end);};return setTimeout(o,e),this;},t(function(){t.support.transition=e(),t.support.transition&&(t.event.special.bsTransitionEnd={bindType:t.support.transition.end,delegateType:t.support.transition.end,handle:function(e){return t(e.target).is(this)?e.handleObj.handler.apply(this,arguments):void 0;}});});}(jQuery);function openRuleDetailsDialog(rule_result_id){$("#detail-modal").remove();var closebutton=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="true" title="Close">❌</button>');var modal=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="true"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(modal);var clone=$("#rule-detail-"+rule_result_id).clone();clone.attr("id","");clone.children(".panel-heading").append(closebutton);closebutton.css({"float":"right"});closebutton.css({"margin-top":"-=23px"});$("#detail-modal-body").append(clone);$("#detail-modal").modal();return false;}function toggleRuleDisplay(checkbox){var result=checkbox.value;if(checkbox.checked){$(".rule-overview-leaf-"+result).removeClass("rule-result-filtered");$(".rule-detail-"+result).removeClass("rule-result-filtered");}else{$(".rule-overview-leaf-"+result).addClass("rule-result-filtered");$(".rule-detail-"+result).addClass("rule-result-filtered");}stripeTreeTable();}function toggleResultDetails(button){var result_details=$("#result-details");if(result_details.is(":visible")){result_details.hide();$(button).html("Show all result details");}else{result_details.show();$(button).html("Hide all result details");}return false;}function ruleSearchMatches(detail_leaf,keywords){if(keywords.length==0)return true;var match=true;var checked_keywords=detail_leaf.children(".keywords").text().toLowerCase();var index;for(index=0;index<keywords.length;++index)if(checked_keywords.indexOf(keywords[index].toLowerCase())<0){match=false;break;}return match;}function ruleSearch(){var search_input=$("#search-input").val();var keywords=search_input.split(/[\s,\.;]+/);var matches=0;$(".rule-detail").each(function(){var rrid=$(this).attr("id").substring(12);var overview_leaf=$("#rule-overview-leaf-"+rrid);var detail_leaf=$(this);if(ruleSearchMatches(detail_leaf,keywords)){overview_leaf.removeClass("search-no-match");detail_leaf.removeClass("search-no-match");++matches;}else{overview_leaf.addClass("search-no-match");detail_leaf.addClass("search-no-match");}});if(!search_input)$("#search-matches").html("");else if(matches>0)$("#search-matches").html(matches.toString()+" rules match.");else $("#search-matches").html("No rules match your search criteria!");}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable();});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});is_original=true;}}function newGroupLine(key,group_name){var maxKeyLength=24;if(key.length>maxKeyLength)key=key.substring(0,maxKeyLength-1)+"â¦";return "<tr class=\"rule-overview-inner-node\" data-tt-id=\""+group_name+"\">"+"<td colspan=\"3\"><small>"+key+"</small> = <strong>"+group_name+"</strong></td></tr>";}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(rule,key){switch(key){case KeysEnum.SEVERITY:var severity=rule.children(".rule-severity").text();return [severity];case KeysEnum.RESULT:var result=rule.children(".rule-result").text();return [result];default:try{var references=JSON.parse(rule.attr("data-references"));}catch(err){return ["unknown"];}if(!references.hasOwnProperty(key))return ["unknown"];return references[key];}}function sortGroups(groups,key){switch(key){case KeysEnum.SEVERITY:return ["high","medium","low"];case KeysEnum.RESULT:return groups.sort();default:return groups.sort(function(a,b){var a_parts=a.split(/[.()-]/);var b_parts=b.split(/[.()-]/);var result=0;var min_length=Math.min(a_parts.length,b_parts.length);var number=/^[1-9][0-9]*$/;for(i=0;i<min_length&&result==0;i++)if(a_parts[i].match(number)==null||a_parts[i].match(number)==null)result=a_parts[i].localeCompare(b_parts[i]);else result=parseInt(a_parts[i])-parseInt(b_parts[i]);if(result==0)result=a_parts.length-b_parts.length;return result;});}}function groupRulesBy(key){resetTreetable();if(key==KeysEnum.DEFAULT)return;var lines={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var id=$(this).attr("data-tt-id");var target_groups=getTargetGroupsList($(this),key);for(i=0;i<target_groups.length;i++){var target_group=target_groups[i];if(!lines.hasOwnProperty(target_group))lines[target_group]=[newGroupLine(key,target_group)];var clone=$(this).clone();clone.attr("data-tt-id",id+"copy"+i);clone.attr("data-tt-parent-id",target_group);var new_line=clone.wrap("<div>").parent().html();lines[target_group].push(new_line);}});$(".treetable").remove();var groups=sortGroups(Object.keys(lines),key);var html_text="";for(i=0;i<groups.length;i++)html_text+=lines[groups[i]].join("\n");new_table="<table class=\"treetable table table-bordered\"><thead><tr><th>Group</th> <th style=\"width: 120px; text-align: center\">Severity</th><th style=\"width: 120px; text-align: center\">Result</th></tr></thead><tbody>"+html_text+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable();}function stripeTreeTable(){var rows=$(".rule-overview-leaf:not(.rule-result-filtered)");var even=false;$(rows).each(function(){$(this).css("background-color",even?"#F9F9F9":"inherit");even=!even;});}</script></head><body><nav class="navbar navbar-default" role="navigation"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</h2><blockquote>with profile <mark>DISA STIG for Red Hat Enterprise Linux 7</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux V1R4. In addition to being applicable to RHEL7, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL7, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Virtualization Hypervisor (RHV-H) - Red Hat Enterprise Linux for HPC - Red Hat Storage</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br> <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a> </div><div class="description">This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the <code>scap-security-guide</code> package which is developed at <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>. <br><br> Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a <em>catalog, not a checklist</em>, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF <em>Profiles</em>, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. </div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. </div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>localhost</td></tr><tr><th>Benchmark URL</th><td>/root/openscap_data/cdrom.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel7-disa</td></tr><tr><th>Started at</th><td>2018-08-27T15:28:14</td></tr><tr><th>Finished at</th><td>2018-08-27T15:28:14</td></tr><tr><th>Performed by</th><td></td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>  127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>  192.168.122.98</li><li class="list-group-item"><span class="label label-info">IPv6</span>  0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>  fe80:0:0:0:5054:ff:fe14:6849</li><li class="list-group-item"><span class="label label-default">MAC</span>  00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>  52:54:00:14:68:49</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 9 rules!</strong> Furthermore, the results of 10 rules were inconclusive. Please review rule results and consider applying remediation. </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were 243 rules taken into account."><div class="progress-bar progress-bar-success" style="width: 80.6584362139918%">196 passed </div><div class="progress-bar progress-bar-danger" style="width: 3.703703703703703%">9 failed </div><div class="progress-bar progress-bar-warning" style="width: 15.6378600823045%">38 other </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 9 total failed rules."><div class="progress-bar progress-bar-success" style="width: 11.1111111111111%">1 other </div><div class="progress-bar progress-bar-info" style="width: 0%">0 low </div><div class="progress-bar progress-bar-warning" style="width: 55.5555555555556%">5 medium </div><div class="progress-bar progress-bar-danger" style="width: 33.3333333333333%">3 high </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">80.950165</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 80.950165%">80.95%</div><div class="progress-bar progress-bar-danger" style="width: 19.049835%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass"></input>pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed"></input>fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational"></input>informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail"></input>fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error"></input>error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown"></input>unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked"></input>notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable"></input>notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"></input><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p> Group rules by: <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx</option><option value="DISA CCI">DISA CCI</option><option value="DISA SRG">DISA SRG</option><option value="DISA STIG">DISA STIG</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="CIS Recommendation">CIS Recommendation</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-7" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</strong> <span class="badge">9x fail</span> <span class="badge">10x error</span> <span class="badge">28x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>Services</strong> <span class="badge">4x error</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files" id="rule-overview-leaf-idm46336716330976" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86903r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040550"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716330976" onclick="return openRuleDetailsDialog('idm46336716330976')">Remove Host-Based Authentication Files</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files" id="rule-overview-leaf-idm46336716324560" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86901r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040540"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716324560" onclick="return openRuleDetailsDialog('idm46336716324560')">Remove User Host-Based Authentication Files</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm46336716320592" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86591r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-020000"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716320592" onclick="return openRuleDetailsDialog('idm46336716320592')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm46336716309104" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86701r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-021710"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"CIS Recommendation":["2.1.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716309104" onclick="return openRuleDetailsDialog('idm46336716309104')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-overview-leaf-idm46336716300096" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86593r1_rule"],"DISA CCI":["CCI-000381"],"DISA SRG":["SRG-OS-000095-GPOS-00049"],"DISA STIG":["RHEL-07-020010"],"NIST SP 800-53":["AC-17(8)","CM-7(a)"],"CIS Recommendation":["2.2.16"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716300096" onclick="return openRuleDetailsDialog('idm46336716300096')">Uninstall ypserv Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">TFTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_tftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-overview-leaf-idm46336716291120" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86925r1_rule"],"DISA CCI":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040700"],"NIST SP 800-53":["AC-17(8)","CM-6(c)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716291120" onclick="return openRuleDetailsDialog('idm46336716291120')">Uninstall tftp-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-overview-leaf-idm46336716287152" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86929r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040720"],"NIST SP 800-53":["AC-6","AC-17(8)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716287152" onclick="return openRuleDetailsDialog('idm46336716287152')">Ensure tftp Daemon Uses Secure Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">FTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp"><td colspan="3" style="padding-left: 57px">Disable vsftpd if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_vsftpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-overview-leaf-idm46336716249152" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86923r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040690"],"NIST SP 800-53":["CM-6(b)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716249152" onclick="return openRuleDetailsDialog('idm46336716249152')">Uninstall vsftpd Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SNMP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Configure SNMP Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp_configure_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-overview-leaf-idm46336716242704" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86937r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040800"],"NIST SP 800-53":["IA-5.1(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716242704" onclick="return openRuleDetailsDialog('idm46336716242704')">Ensure Default SNMP Password Is Not Used</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Cron and At Daemons<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_cron_and_at");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at"><td colspan="3" style="padding-left: 57px">Restrict at and cron to Authorized Users if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrict_at_cron_users");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" id="rule-overview-leaf-idm46336716233696" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86679r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021120"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716233696" onclick="return openRuleDetailsDialog('idm46336716233696')">Verify Group Who Owns /etc/cron.allow file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_cron_allow" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_cron_allow" id="rule-overview-leaf-idm46336716229728" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86677r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021110"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716229728" onclick="return openRuleDetailsDialog('idm46336716229728')">Verify User Who Owns /etc/cron.allow file</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">X Window System<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_xwindows"><td colspan="3" style="padding-left: 57px">Disable X Windows<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-overview-leaf-idm46336716215728" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_xwindows" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86931r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040730"],"NIST SP 800-53":["AC-17(8).1(ii)"],"CIS Recommendation":["2.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716215728" onclick="return openRuleDetailsDialog('idm46336716215728')">Remove the X Windows Package Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sssd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>System Security Services Daemon</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd-ldap" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sssd-ldap" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd"><td colspan="3" style="padding-left: 57px"><strong>System Security Services Daemon (SSSD) - LDAP</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" id="rule-overview-leaf-idm46336716008032" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86853r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040190"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716008032" onclick="return openRuleDetailsDialog('idm46336716008032')">Configure SSSD LDAP Backend Client CA Certificate Location</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" id="rule-overview-leaf-idm46336716002768" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86851r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040180"],"NIST SP 800-53":["AC-17(2)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336716002768" onclick="return openRuleDetailsDialog('idm46336716002768')">Configure SSSD LDAP Backend to Use TLS For All Transactions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" id="rule-overview-leaf-idm46336715997088" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd-ldap" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86855r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040200"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715997088" onclick="return openRuleDetailsDialog('idm46336715997088')">Configure SSSD LDAP Backend Client CA Certificate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" id="rule-overview-leaf-idm46336715991328" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87051r3_rule"],"DISA CCI":["CCI-001948","CCI-001953","CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160","SRG-OS-000375-GPOS-00161","SRG-OS-000375-GPOS-00162"],"DISA STIG":["RHEL-07-041002"],"NIST SP 800-53":["IA-2(11)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715991328" onclick="return openRuleDetailsDialog('idm46336715991328')">Configure PAM in SSSD Services</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" id="rule-overview-leaf-idm46336715966816" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["SRG-OS-000356-GPOS-00144"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86893r2_rule"],"DISA CCI":["CCI-001891","CCI-002046"],"DISA SRG":["SRG-OS-000355-GPOS-00143"],"DISA STIG":["RHEL-07-040500"],"NIST SP 800-53":["AU-8(1)(a)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715966816" onclick="return openRuleDetailsDialog('idm46336715966816')">Configure Time Service Maxpoll Interval</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_base" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Base Services</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_kdump_disabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715902496" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86681r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021300"],"NIST SP 800-53":["AC-17(8)","CM-7","CM-6(b)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715902496" onclick="return openRuleDetailsDialog('idm46336715902496')">Disable KDump Kernel Crash Analyzer (kdump)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Mail Server Software</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px"><strong>Configure Operating System to Protect Mail Server</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_cfg" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_cfg" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_harden_os"><td colspan="3" style="padding-left: 76px"><strong>Configure Postfix if Necessary</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_relay" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_relay" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_cfg"><td colspan="3" style="padding-left: 95px"><strong>Control Mail Relaying</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" id="rule-overview-leaf-idm46336715876112" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_relay" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86921r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040680"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336715876112" onclick="return openRuleDetailsDialog('idm46336715876112')">Prevent Unrestricted Mail Relaying</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">NFS and RPC<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_and_rpc");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_clients" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Configure NFS Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configuring_clients");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td colspan="3" style="padding-left: 76px">Mount Remote Filesystems with Restrictive Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting_remote_filesystems");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-overview-leaf-idm46336715816192" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86935r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040750"],"NIST SP 800-53":["AC-14(1)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715816192" onclick="return openRuleDetailsDialog('idm46336715816192')">Mount Remote Filesystems with Kerberos Security</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" id="rule-overview-leaf-idm46336715812208" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87813r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021021"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715812208" onclick="return openRuleDetailsDialog('idm46336715812208')">Mount Remote Filesystems with noexec</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-overview-leaf-idm46336715808272" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86669r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021020"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715808272" onclick="return openRuleDetailsDialog('idm46336715808272')">Mount Remote Filesystems with nosuid</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>SSH Server</strong> <span class="badge">3x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px">Configure OpenSSH Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-overview-leaf-idm46336715766960" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86887r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040450"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715766960" onclick="return openRuleDetailsDialog('idm46336715766960')">Enable Use of Strict Mode Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-overview-leaf-idm46336715762144" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86873r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040380"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715762144" onclick="return openRuleDetailsDialog('idm46336715762144')">Disable SSH Support for User Known Hosts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-overview-leaf-idm46336715744304" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86563r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010300"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-3","AC-6","CM-6(b)"],"CIS Recommendation":["5.2.9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715744304" onclick="return openRuleDetailsDialog('idm46336715744304')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-overview-leaf-idm46336715734672" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86865r3_rule"],"DISA CCI":["CCI-001133","CCI-002361"],"DISA SRG":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"DISA STIG":["RHEL-07-040340"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","SA-8","AC-12"],"CIS Recommendation":["5.2.12"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715734672" onclick="return openRuleDetailsDialog('idm46336715734672')">Set SSH Client Alive Count</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" id="rule-overview-leaf-idm46336715724848" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86863r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040330"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(a)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715724848" onclick="return openRuleDetailsDialog('idm46336715724848')">Disable SSH Support for Rhosts RSA Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-overview-leaf-idm46336715755776" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86849r3_rule"],"DISA CCI":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-040170"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["5.2.16"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715755776" onclick="return openRuleDetailsDialog('idm46336715755776')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" id="rule-overview-leaf-idm46336715707360" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86877r2_rule"],"DISA CCI":["CCI-001453"],"DISA SRG":["SRG-OS-000250-GPOS-00093"],"DISA STIG":["RHEL-07-040400"],"NIST SP 800-171":["3.1.13","3.13.11","3.13.8"],"NIST SP 800-53":["AC-17(2)","IA-7","SC-13"],"CIS Recommendation":["5.2.12"],"HIPAA":["164.308(b)(1)","164.308(b)(2)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)","164.314(b)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715707360" onclick="return openRuleDetailsDialog('idm46336715707360')">Use Only FIPS 140-2 Validated MACs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-overview-leaf-idm46336715702240" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86581r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010460"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(b)"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715702240" onclick="return openRuleDetailsDialog('idm46336715702240')">Do Not Allow SSH Environment Options</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-overview-leaf-idm46336715718368" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86885r2_rule"],"DISA CCI":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-040440"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(c)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715718368" onclick="return openRuleDetailsDialog('idm46336715718368')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-overview-leaf-idm46336715692480" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86875r3_rule"],"DISA CCI":["CCI-000197","CCI-000366"],"DISA SRG":["SRG-OS-000074-GPOS-00042","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040390"],"NIST SP 800-171":["3.1.13","3.5.4"],"NIST SP 800-53":["AC-17(8).1(ii)","IA-5(1)(c)"],"CIS Recommendation":["5.2.2"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715692480" onclick="return openRuleDetailsDialog('idm46336715692480')">Allow Only SSH Protocol 2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-overview-leaf-idm46336715684656" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86867r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040350"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","CM-6(a)"],"CIS Recommendation":["5.2.6"],"FBI CJIS":["5.5.6"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715684656" onclick="return openRuleDetailsDialog('idm46336715684656')">Disable SSH Support for .rhosts Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-overview-leaf-idm46336715679904" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86861r3_rule"],"DISA CCI":["CCI-001133","CCI-002361"],"DISA SRG":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"DISA STIG":["RHEL-07-040320"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","SA-8(i)","AC-12"],"CIS Recommendation":["5.2.12"],"FBI CJIS":["5.5.6"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715679904" onclick="return openRuleDetailsDialog('idm46336715679904')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" id="rule-overview-leaf-idm46336715659504" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86927r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040710"],"NIST SP 800-171":["3.1.13"],"NIST SP 800-53":["CM-2(1)(b)"],"CIS Recommendation":["5.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715659504" onclick="return openRuleDetailsDialog('idm46336715659504')">Enable Encrypted X11 Forwarding</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" id="rule-overview-leaf-idm46336715672736" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86845r2_rule"],"DISA CCI":["CCI-000068","CCI-000366","CCI-000803"],"DISA SRG":["SRG-OS-000033-GPOS-00014","SRG-OS-000120-GPOS-00061","SRG-OS-000125-GPOS-00065","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173"],"DISA STIG":["RHEL-07-040110"],"NIST SP 800-171":["3.1.13","3.13.11","3.13.8"],"NIST SP 800-53":["AC-3","AC-17(2)","AU-10(5)","CM-6(b)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(b)(1)","164.308(b)(2)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)","164.314(b)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715672736" onclick="return openRuleDetailsDialog('idm46336715672736')">Use Only FIPS 140-2 Validated Ciphers</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-overview-leaf-idm46336715644928" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86583r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010470"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","CM-6(b)"],"CIS Recommendation":["5.2.7"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715644928" onclick="return openRuleDetailsDialog('idm46336715644928')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" id="rule-overview-leaf-idm46336715651120" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86889r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040460"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715651120" onclick="return openRuleDetailsDialog('idm46336715651120')">Enable Use of Privilege Separation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-overview-leaf-idm46336715623520" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86869r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040360"],"NIST SP 800-53":["AC-9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715623520" onclick="return openRuleDetailsDialog('idm46336715623520')">Print Last Log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-overview-leaf-idm46336715633328" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86883r2_rule"],"DISA CCI":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-040430"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(c)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715633328" onclick="return openRuleDetailsDialog('idm46336715633328')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_compression" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_compression" id="rule-overview-leaf-idm46336715610304" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86891r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040470"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-6(b)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715610304" onclick="return openRuleDetailsDialog('idm46336715610304')">Disable Compression Or Set Compression to delayed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-overview-leaf-idm46336715607360" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86871r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040370"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-3","AC-6(2)","IA-2(1)","IA-2(5)"],"CIS Recommendation":["5.2.8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715607360" onclick="return openRuleDetailsDialog('idm46336715607360')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openssh-server_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-overview-leaf-idm46336715591888" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS000423-GPOS-00190"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86857r2_rule"],"DISA CCI":["CCI-002418","CCI-002420","CCI-002421","CCI-002422"],"DISA SRG":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189"],"DISA STIG":["RHEL-07-040300"],"NIST SP 800-53":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715591888" onclick="return openRuleDetailsDialog('idm46336715591888')">Install the OpenSSH Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_sshd_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715581728" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS000423-GPOS-00190"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86859r2_rule"],"DISA CCI":["CCI-002418","CCI-002420","CCI-002421","CCI-002422"],"DISA SRG":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189"],"DISA STIG":["RHEL-07-040310"],"NIST SP 800-171":["3.1.13","3.5.4","3.13.8"],"NIST SP 800-53":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715581728" onclick="return openRuleDetailsDialog('idm46336715581728')">Enable the OpenSSH Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715575168" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86879r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040410"],"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715575168" onclick="return openRuleDetailsDialog('idm46336715575168')">Verify Permissions on SSH Server Public *.pub Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715567280" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86881r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040420"],"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715567280" onclick="return openRuleDetailsDialog('idm46336715567280')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">9x fail</span> <span class="badge">6x error</span> <span class="badge">26x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Configure Syslog<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_logging");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Rsyslog Logs Sent To Remote Host<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_sending_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-overview-leaf-idm46336715556560" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86833r1_rule"],"DISA CCI":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-031000"],"NIST SP 800-53":["AU-3(2)","AU-4(1)","AU-9"],"CIS Recommendation":["4.2.1.4"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"ISO 27001-2013":["A.12.3.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715556560" onclick="return openRuleDetailsDialog('idm46336715556560')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure Proper Configuration of Log Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-overview-leaf-idm46336715553072" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86675r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021100"],"NIST SP 800-53":["AU-2(d)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715553072" onclick="return openRuleDetailsDialog('idm46336715553072')">Ensure cron Is Logging To Rsyslog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Configure <tt>rsyslogd</tt> to Accept Remote Messages If Acting as a Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-overview-leaf-idm46336715526848" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86835r1_rule"],"DISA CCI":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-031010"],"NIST SP 800-53":["AU-9(2)","AC-4","CM-6(c)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715526848" onclick="return openRuleDetailsDialog('idm46336715526848')">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Network Configuration and Firewalls</strong> <span class="badge">2x fail</span> <span class="badge">1x error</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>firewalld</strong> <span class="badge">1x fail</span> <span class="badge">1x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Strengthen the Default Ruleset</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715510240" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86939r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040810"],"NIST SP 800-171":["3.1.3","3.4.7","3.13.6"],"NIST SP 800-53":["CM-6(b)","CM-7"],"FBI CJIS":["5.10.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715510240" onclick="return openRuleDetailsDialog('idm46336715510240')">Set Default firewalld Zone for Incoming Packets</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-overview-leaf-idm46336715506272" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86843r1_rule"],"DISA CCI":["CCI-000382","CCI-002314"],"DISA SRG":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115"],"DISA STIG":["RHEL-07-040100"],"NIST SP 800-53":["CM-7","CM-7.1(iii)","CM-7(b)","AC-17(1)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715506272" onclick="return openRuleDetailsDialog('idm46336715506272')">Configure the Firewalld Ports</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" id="rule-overview-leaf-idm46336715482528" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86895r2_rule"],"DISA CCI":["CCI-002385"],"DISA SRG":["SRG-OS-000420-GPOS-00186"],"DISA STIG":["RHEL-07-040510"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715482528" onclick="return openRuleDetailsDialog('idm46336715482528')">Configure firewalld To Rate Limit Connections</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Inspect and Activate Default firewalld Rules</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336715500448" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86897r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040520"],"NIST SP 800-171":["3.1.3","3.4.7"],"NIST SP 800-53":["CM-6(b)"],"CIS Recommendation":["4.7"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715500448" onclick="return openRuleDetailsDialog('idm46336715500448')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipsec" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipsec" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>IPSec Support</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-overview-leaf-idm46336715478304" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipsec" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86941r1_rule"],"DISA CCI":["CCI-000336"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040820"],"NIST SP 800-53":["AC-4"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715478304" onclick="return openRuleDetailsDialog('idm46336715478304')">Verify Any Configured IPSec Tunnel Connections</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">IPv6<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Configure IPv6 Settings if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6"><td colspan="3" style="padding-left: 95px">Disable Automatic Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-overview-leaf-idm46336715461456" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86943r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040830"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336715461456" onclick="return openRuleDetailsDialog('idm46336715461456')">Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Kernel Parameters Which Affect Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-kernel");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Related Kernel Runtime Parameters for Hosts and Routers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_and_router_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idm46336715419728" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86909r1_rule"],"DISA CCI":["CCI-000366","CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040620"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.2.1"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715419728" onclick="return openRuleDetailsDialog('idm46336715419728')">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-overview-leaf-idm46336715414784" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86911r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040630"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5"],"CIS Recommendation":["3.2.5"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715414784" onclick="return openRuleDetailsDialog('idm46336715414784')">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-overview-leaf-idm46336715394880" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86913r2_rule"],"DISA CCI":["CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040640"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.2.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715394880" onclick="return openRuleDetailsDialog('idm46336715394880')">Configure Kernel Parameter for Accepting ICMP Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idm46336715405424" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86907r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040610"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5"],"CIS Recommendation":["3.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715405424" onclick="return openRuleDetailsDialog('idm46336715405424')">Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-overview-leaf-idm46336715381136" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87827r3_rule"],"DISA CCI":["CCI-000366","CCI-001503","CCI-001551"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040641"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-6(d)","CM-7","SC-5"],"CIS Recommendation":["3.2.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715381136" onclick="return openRuleDetailsDialog('idm46336715381136')">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Parameters for Hosts Only<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idm46336715354048" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86933r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040740"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7","SC-5","SC-32"],"CIS Recommendation":["3.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715354048" onclick="return openRuleDetailsDialog('idm46336715354048')">Disable Kernel Parameter for IP Forwarding</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-overview-leaf-idm46336715335328" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86917r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040660"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5(1)"],"CIS Recommendation":["3.1.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715335328" onclick="return openRuleDetailsDialog('idm46336715335328')">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-overview-leaf-idm46336715342624" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86915r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040650"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["AC-4","CM-7","SC-5","SC-7"],"CIS Recommendation":["3.1.2"],"FBI CJIS":["5.10.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715342624" onclick="return openRuleDetailsDialog('idm46336715342624')">Disable Kernel Parameter for Sending ICMP Redirects by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-uncommon" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Uncommon Network Protocols<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-uncommon");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-overview-leaf-idm46336715329360" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92517r1_rule"],"DISA CCI":["CCI-001958"],"DISA STIG":["RHEL-07-020101"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["CM-7"],"CIS Recommendation":["3.5.1"],"FBI CJIS":["5.10.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336715329360" onclick="return openRuleDetailsDialog('idm46336715329360')">Disable DCCP Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Wireless Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-wireless");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px">Disable Wireless Through Software Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_wireless_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-overview-leaf-idm46336715300032" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87829r1_rule"],"DISA CCI":["CCI-000085","CCI-002418"],"DISA SRG":["SRG-OS-000424-GPOS-00188"],"DISA STIG":["RHEL-07-041010"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"],"CIS Recommendation":["4.3.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336715300032" onclick="return openRuleDetailsDialog('idm46336715300032')">Deactivate Wireless Network Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-overview-leaf-idm46336715296064" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86919r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040670"],"NIST SP 800-53":["CM-7","CM-7(2).1(i)","MA-3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715296064" onclick="return openRuleDetailsDialog('idm46336715296064')">Ensure System is Not Acting as a Network Sniffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_configure_name_resolution" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715287104" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86905r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040600"],"NIST SP 800-53":["SC-22"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715287104" onclick="return openRuleDetailsDialog('idm46336715287104')">Configure Multiple DNS Servers in /etc/resolv.conf</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Set Boot Loader Password</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_password" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336715283136" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86585r4_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010480"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["IA-2(1)","IA-5(e)","AC-3"],"CIS Recommendation":["1.4.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715283136" onclick="return openRuleDetailsDialog('idm46336715283136')">Set Boot Loader Password in grub2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-overview-leaf-idm46336715274224" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86587r3_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010490"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["AC-3"],"CIS Recommendation":["1.4.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715274224" onclick="return openRuleDetailsDialog('idm46336715274224')">Set the UEFI Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" id="rule-overview-leaf-idm46336715270288" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86699r1_rule"],"DISA CCI":["CCI-001814"],"DISA SRG":["SRG-OS-000364-GPOS-00151"],"DISA STIG":["RHEL-07-021700"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336715270288" onclick="return openRuleDetailsDialog('idm46336715270288')">Boat Loader Is Not Installed On Removeable Media</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>SELinux</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm46336714674640" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86615r3_rule"],"DISA CCI":["CCI-002696"],"DISA SRG":["SRG-OS-000445-GPOS-00199"],"DISA STIG":["RHEL-07-020220"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)","AC-3(4)","AC-4","AC-6","AU-9","SI-6(a)"],"CIS Recommendation":["1.6.1.3"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714674640" onclick="return openRuleDetailsDialog('idm46336714674640')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714664784" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86663r1_rule"],"DISA CCI":["CCI-000022","CCI-000032","CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020900"],"NIST SP 800-171":["3.1.2","3.1.5","3.7.2"],"NIST SP 800-53":["AC-6","AU-9","CM-3(f)","CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714664784" onclick="return openRuleDetailsDialog('idm46336714664784')">Ensure No Device Files are Unlabeled by SELinux</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_user_login_roles" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_user_login_roles" id="rule-overview-leaf-idm46336714660816" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86595r1_rule"],"DISA CCI":["CCI-002235"],"DISA SRG":["SRG-OS-000324-GPOS-00125"],"DISA STIG":["RHEL-07-020020"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714660816" onclick="return openRuleDetailsDialog('idm46336714660816')">Map System Users To The Appropriate SELinux Role</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm46336714658000" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86613r2_rule"],"DISA CCI":["CCI-002165","CCI-002696"],"DISA SRG":["SRG-OS-000445-GPOS-00199"],"DISA STIG":["RHEL-07-020210"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)","AC-3(4)","AC-4","AC-6","AU-9","SI-6(a)"],"CIS Recommendation":["1.6.1.2"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336714658000" onclick="return openRuleDetailsDialog('idm46336714658000')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong> <span class="badge">2x error</span> <span class="badge">17x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Configuring PAM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-pam");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Hashing Algorithm<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_set_password_hashing_algorithm");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-overview-leaf-idm46336714645440" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86545r1_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010210"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["6.3.1"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714645440" onclick="return openRuleDetailsDialog('idm46336714645440')">Set Password Hashing Algorithm in /etc/login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-overview-leaf-idm46336714641440" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86547r2_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010220"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714641440" onclick="return openRuleDetailsDialog('idm46336714641440')">Set Password Hashing Algorithm in /etc/libuser.conf</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-overview-leaf-idm46336714637488" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86543r2_rule"],"DISA CCI":["CCI-000196"],"DISA SRG":["SRG-OS-000073-GPOS-00041"],"DISA STIG":["RHEL-07-010200"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"CIS Recommendation":["6.3.1"],"FBI CJIS":["5.6.2.2"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714637488" onclick="return openRuleDetailsDialog('idm46336714637488')">Set PAM's Password Hashing Algorithm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Lockouts for Failed Password Attempts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_locking_out_password_attempts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-overview-leaf-idm46336714633536" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86569r2_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010330"],"NIST SP 800-53":["AC-7(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714633536" onclick="return openRuleDetailsDialog('idm46336714633536')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-overview-leaf-idm46336714628224" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["AC-7(b)"],"CIS Recommendation":["5.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714628224" onclick="return openRuleDetailsDialog('idm46336714628224')">Set Lockout Time For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-overview-leaf-idm46336714620080" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86557r2_rule"],"DISA CCI":["CCI-000200"],"DISA SRG":["SRG-OS-000077-GPOS-00045"],"DISA STIG":["RHEL-07-010270"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(e)"],"CIS Recommendation":["5.3.3"],"FBI CJIS":["5.6.2.1.1"],"PCI-DSS Requirement":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714620080" onclick="return openRuleDetailsDialog('idm46336714620080')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-overview-leaf-idm46336714609248" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-53":["AC-7(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714609248" onclick="return openRuleDetailsDialog('idm46336714609248')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-overview-leaf-idm46336714603408" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86567r3_rule"],"DISA CCI":["CCI-002238"],"DISA SRG":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"DISA STIG":["RHEL-07-010320"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["AC-7(b)"],"CIS Recommendation":["5.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714603408" onclick="return openRuleDetailsDialog('idm46336714603408')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Quality Requirements<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px">Set Password Quality Requirements with pam_pwquality<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality_pwquality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-overview-leaf-idm46336714589136" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86559r1_rule"],"DISA CCI":["CCI-000205"],"DISA SRG":["SRG-OS-000078-GPOS-00046"],"DISA STIG":["RHEL-07-010280"],"NIST SP 800-53":["IA-5(1)(a)"],"CIS Recommendation":["6.3.2"],"FBI CJIS":["5.6.2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714589136" onclick="return openRuleDetailsDialog('idm46336714589136')">Set Password Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-overview-leaf-idm46336714594064" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86541r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010190"],"NIST SP 800-53":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714594064" onclick="return openRuleDetailsDialog('idm46336714594064')">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-overview-leaf-idm46336714577552" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86539r2_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010180"],"NIST SP 800-53":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714577552" onclick="return openRuleDetailsDialog('idm46336714577552')">Set Password Maximum Consecutive Repeating Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-overview-leaf-idm46336714564160" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86531r2_rule"],"DISA CCI":["CCI-000194"],"DISA SRG":["SRG-OS-000071-GPOS-00039"],"DISA STIG":["RHEL-07-010140"],"NIST SP 800-53":["IA-5(1)(a)","IA-5(b)","IA-5(c)","194"],"CIS Recommendation":["6.3.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714564160" onclick="return openRuleDetailsDialog('idm46336714564160')">Set Password Strength Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" id="rule-overview-leaf-idm46336714544256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86537r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010170"],"NIST SP 800-53":["IA-5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714544256" onclick="return openRuleDetailsDialog('idm46336714544256')">Set Password Strength Minimum Different Categories</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-overview-leaf-idm46336714548704" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86535r1_rule"],"DISA CCI":["CCI-000195"],"DISA SRG":["SRG-OS-000072-GPOS-00040"],"DISA STIG":["RHEL-07-010160"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(b)"],"FBI CJIS":["5.6.2.1.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714548704" onclick="return openRuleDetailsDialog('idm46336714548704')">Set Password Strength Minimum Different Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-overview-leaf-idm46336714522304" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86533r1_rule"],"DISA CCI":["CCI-001619"],"DISA SRG":["SRG-OS-000266-GPOS-00101"],"DISA STIG":["RHEL-07-010150"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714522304" onclick="return openRuleDetailsDialog('idm46336714522304')">Set Password Strength Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-overview-leaf-idm46336714527728" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86529r4_rule"],"DISA CCI":["CCI-000193"],"DISA SRG":["SRG-OS-000070-GPOS-00038"],"DISA STIG":["RHEL-07-010130"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714527728" onclick="return openRuleDetailsDialog('idm46336714527728')">Set Password Strength Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-overview-leaf-idm46336714500096" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86527r2_rule"],"DISA CCI":["CCI-000192"],"DISA SRG":["SRG-OS-000069-GPOS-00037"],"DISA STIG":["RHEL-07-010120"],"NIST SP 800-53":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"CIS Recommendation":["6.3.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714500096" onclick="return openRuleDetailsDialog('idm46336714500096')">Set Password Strength Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" id="rule-overview-leaf-idm46336714505536" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87811r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00225"],"DISA STIG":["RHEL-07-010119"],"NIST SP 800-53":["CM-6(b)","IA-5(c)"],"CIS Recommendation":["6.3.2"],"FBI CJIS":["5.5.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714505536" onclick="return openRuleDetailsDialog('idm46336714505536')">Set Password Retry Prompts Permitted Per-Session</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_display_login_attempts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-overview-leaf-idm46336714469264" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86899r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040530"],"NIST SP 800-53":["AC-9"],"FBI CJIS":["5.5.2"],"PCI-DSS Requirement":["Req-10.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714469264" onclick="return openRuleDetailsDialog('idm46336714469264')">Set Last Logon/Access Notification</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-overview-leaf-idm46336714460304" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86549r1_rule"],"DISA CCI":["CCI-000198"],"DISA SRG":["SRG-OS-000075-GPOS-00043"],"DISA STIG":["RHEL-07-010230"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)"],"FBI CJIS":["5.6.2.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714460304" onclick="return openRuleDetailsDialog('idm46336714460304')">Set Password Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-overview-leaf-idm46336714454816" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86553r1_rule"],"DISA CCI":["CCI-000199"],"DISA SRG":["SRG-OS-000076-GPOS-00044"],"DISA STIG":["RHEL-07-010250"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(g)","IA-5(1)(d)"],"CIS Recommendation":["5.4.1.1"],"FBI CJIS":["5.6.2.1"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714454816" onclick="return openRuleDetailsDialog('idm46336714454816')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-overview-leaf-idm46336714444816" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86551r1_rule"],"DISA CCI":["CCI-000198"],"DISA SRG":["SRG-OS-000075-GPOS-00043"],"DISA STIG":["RHEL-07-010240"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714444816" onclick="return openRuleDetailsDialog('idm46336714444816')">Set Existing Passwords Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-overview-leaf-idm46336714448256" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86555r1_rule"],"DISA CCI":["CCI-000199"],"DISA SRG":["SRG-OS-000076-GPOS-00044"],"DISA STIG":["RHEL-07-010260"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714448256" onclick="return openRuleDetailsDialog('idm46336714448256')">Set Existing Passwords Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-overview-leaf-idm46336714422608" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86629r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020310"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6","IA-2(1)","IA-4"],"CIS Recommendation":["6.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714422608" onclick="return openRuleDetailsDialog('idm46336714422608')">Verify Only Root Has UID 0</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_account_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Set Account Expiration Parameters<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_account_expiration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-overview-leaf-idm46336714414288" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86565r1_rule"],"DISA CCI":["CCI-000795"],"DISA SRG":["SRG-OS-000118-GPOS-00060"],"DISA STIG":["RHEL-07-010310"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["AC-2(2)","AC-2(3)","IA-4(e)"],"FBI CJIS":["5.6.2.1.1"],"PCI-DSS Requirement":["Req-8.1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714414288" onclick="return openRuleDetailsDialog('idm46336714414288')">Set Account Expiration Following Inactivity</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Verify Proper Storage and Existence of Password Hashes<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_storage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-overview-leaf-idm46336714393888" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86561r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-010290"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6","IA-5(b)","IA-5(c)","IA-5(1)(a)"],"FBI CJIS":["5.5.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714393888" onclick="return openRuleDetailsDialog('idm46336714393888')">Prevent Log In to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-overview-leaf-idm46336714390368" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86627r1_rule"],"DISA CCI":["CCI-000764"],"DISA SRG":["SRG-OS-000104-GPOS-00051"],"DISA STIG":["RHEL-07-020300"],"NIST SP 800-53":["IA-2"],"FBI CJIS":["5.5.2"],"PCI-DSS Requirement":["Req-8.5.a"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714390368" onclick="return openRuleDetailsDialog('idm46336714390368')">All GIDs referenced in /etc/passwd must be defined in /etc/group</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Physical Console Access</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical"><td colspan="3" style="padding-left: 76px"><strong>Configure Screen Locking</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_console_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px">Configure Console Screen Locking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_console_screen_locking");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_screen_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_screen_installed" id="rule-overview-leaf-idm46336714386496" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86521r1_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010090"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714386496" onclick="return openRuleDetailsDialog('idm46336714386496')">Install the screen Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px"><strong>Hardware Tokens for Authentication</strong> <span class="badge">2x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336714382656" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86589r1_rule"],"DISA CCI":["CCI-000765","CCI-000766","CCI-000767","CCI-000768","CCI-000771","CCI-000772","CCI-000884"],"DISA SRG":["SRG-OS-000104-GPOS-00051","SRG-OS-000106-GPOS-00053","SRG-OS-000107-GPOS-00054","SRG-OS-000109-GPOS-00056","SRG-OS-000108-GPOS-00055","SRG-OS-000108-GPOS-00057","SRG-OS-000108-GPOS-00058"],"DISA STIG":["RHEL-07-010500"],"NIST SP 800-53":["IA-2(2)"],"PCI-DSS Requirement":["Req-8.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714382656" onclick="return openRuleDetailsDialog('idm46336714382656')">Enable Smart Card Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_smartcard_packages" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336714357664" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87041r2_rule"],"DISA CCI":["CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-041001"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714357664" onclick="return openRuleDetailsDialog('idm46336714357664')">Install Smart Card Packages For Multifactor Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-overview-leaf-idm46336714372416" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87057r4_rule"],"DISA CCI":["CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-041003"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336714372416" onclick="return openRuleDetailsDialog('idm46336714372416')">Configure Smart Card Certificate Status Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idm46336714369824" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92519r1_rule","SV-92519r1_rule"],"DISA CCI":["CCI-000213"],"DISA SRG":["SRG-OS-000080-GPOS-00048"],"DISA STIG":["RHEL-07-010481","RHEL-07-010481"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2(1)","AC-3"],"CIS Recommendation":["1.4.3"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714369824" onclick="return openRuleDetailsDialog('idm46336714369824')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-overview-leaf-idm46336714347328" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86617r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020230"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["AC-6"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714347328" onclick="return openRuleDetailsDialog('idm46336714347328')">Disable Ctrl-Alt-Del Reboot Activation</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-banners" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Warning Banners for System Accesses<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-banners");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gui_login_banner" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners"><td colspan="3" style="padding-left: 76px">Implement a GUI Warning Banner<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gui_login_banner");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-overview-leaf-idm46336714336880" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"":["OS-SRG-000023-GPOS-00006"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86483r3_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-010030"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["1.7.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714336880" onclick="return openRuleDetailsDialog('idm46336714336880')">Enable GNOME3 Login Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-overview-leaf-idm46336714333056" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86485r3_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"DISA STIG":["RHEL-07-010040"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)"],"CIS Recommendation":["1.7.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714333056" onclick="return openRuleDetailsDialog('idm46336714333056')">Set the GNOME3 Login Warning Banner Text</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_banner_etc_issue" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-overview-leaf-idm46336714323808" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86487r2_rule"],"DISA CCI":["CCI-000048"],"DISA SRG":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007"],"DISA STIG":["RHEL-07-010050"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"CIS Recommendation":["1.7.1.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714323808" onclick="return openRuleDetailsDialog('idm46336714323808')">Modify the System Login Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Secure Session Configuration Files for Login Accounts</strong> <span class="badge">14x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px"><strong>Ensure that Users Have Sensible Umask Values</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" id="rule-overview-leaf-idm46336714306576" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86673r1_rule"],"DISA CCI":["CCI-001814"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021040"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714306576" onclick="return openRuleDetailsDialog('idm46336714306576')">Ensure the Default Umask is Set Correctly For Interactive Users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-overview-leaf-idm46336714304160" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86619r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00228"],"DISA STIG":["RHEL-07-020240"],"NIST SP 800-53":["CM-6(b)","SA-8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714304160" onclick="return openRuleDetailsDialog('idm46336714304160')">Ensure the Default Umask is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" id="rule-overview-leaf-idm46336714293408" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86661r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020730"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714293408" onclick="return openRuleDetailsDialog('idm46336714293408')">User Initialization Files Must Not Run World-Writable Programs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_tmout" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-overview-leaf-idm46336714290528" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86847r3_rule"],"DISA CCI":["CCI-001133","CCI-000361"],"DISA SRG":["SRG-OS-000163-GPOS-00072"],"DISA STIG":["RHEL-07-040160"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-12","SC-10"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714290528" onclick="return openRuleDetailsDialog('idm46336714290528')">Set Interactive Session Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" id="rule-overview-leaf-idm46336714284992" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86653r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020690"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714284992" onclick="return openRuleDetailsDialog('idm46336714284992')">User Initialization Files Must Be Owned By the Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permission_user_init_files" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permission_user_init_files" id="rule-overview-leaf-idm46336714282400" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86657r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020710"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714282400" onclick="return openRuleDetailsDialog('idm46336714282400')">Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" id="rule-overview-leaf-idm46336714278848" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86655r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020700"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714278848" onclick="return openRuleDetailsDialog('idm46336714278848')">User Initialization Files Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" id="rule-overview-leaf-idm46336714275504" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86639r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020620"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714275504" onclick="return openRuleDetailsDialog('idm46336714275504')">All Interactive Users Home Directories Must Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" id="rule-overview-leaf-idm46336714270240" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86649r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020670"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714270240" onclick="return openRuleDetailsDialog('idm46336714270240')">All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" id="rule-overview-leaf-idm46336714267280" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86575r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00226"],"DISA STIG":["RHEL-07-010430"],"NIST SP 800-53":["CM-6(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714267280" onclick="return openRuleDetailsDialog('idm46336714267280')">Ensure the Logon Failure Delay is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" id="rule-overview-leaf-idm46336714248960" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86637r1_rule"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020610"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714248960" onclick="return openRuleDetailsDialog('idm46336714248960')">Ensure Home Directories are Created for New Users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-overview-leaf-idm46336714260560" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86841r1_rule"],"DISA CCI":["CCI-000054"],"DISA SRG":["SRG-OS-000027-GPOS-00008"],"DISA STIG":["RHEL-07-040000"],"NIST SP 800-53":["AC-10"],"FBI CJIS":["5.5.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714260560" onclick="return openRuleDetailsDialog('idm46336714260560')">Limit the Number of Concurrent Login Sessions Allowed Per User</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" id="rule-overview-leaf-idm46336714243040" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86651r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020680"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714243040" onclick="return openRuleDetailsDialog('idm46336714243040')">All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" id="rule-overview-leaf-idm46336714240304" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86659r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020720"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714240304" onclick="return openRuleDetailsDialog('idm46336714240304')">Ensure that Users Path Contains Only Local Directories</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" id="rule-overview-leaf-idm46336714237040" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86645r4_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020650"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714237040" onclick="return openRuleDetailsDialog('idm46336714237040')">All Interactive User Home Directories Must Be Group-Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" id="rule-overview-leaf-idm46336714233696" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86635r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020600"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714233696" onclick="return openRuleDetailsDialog('idm46336714233696')">All Interactive Users Must Have A Home Directory Defined</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" id="rule-overview-leaf-idm46336714230240" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86647r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020660"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714230240" onclick="return openRuleDetailsDialog('idm46336714230240')">All User Files and Directories In The Home Directory Must Be Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_home_directories" id="rule-overview-leaf-idm46336714227248" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86643r4_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020640"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714227248" onclick="return openRuleDetailsDialog('idm46336714227248')">All Interactive User Home Directories Must Be Owned By The Primary User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_home_directories" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_home_directories" id="rule-overview-leaf-idm46336714224000" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86641r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020630"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714224000" onclick="return openRuleDetailsDialog('idm46336714224000')">All Interactive User Home Directories Must Have mode 0750 Or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Verify Permissions on Important Files and Directories</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714175232" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86633r2_rule"],"DISA CCI":["CCI-002165"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020330"],"NIST SP 800-53":["AC-3(4)","AC-6","IA-2"],"CIS Recommendation":["6.1.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714175232" onclick="return openRuleDetailsDialog('idm46336714175232')">Ensure All Files Are Owned by a Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-overview-leaf-idm46336714171264" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86671r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021030"],"NIST SP 800-53":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714171264" onclick="return openRuleDetailsDialog('idm46336714171264')">Ensure All World-Writable Directories Are Owned by a System Account</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336714167328" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86631r2_rule"],"DISA CCI":["CCI-002165"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020320"],"NIST SP 800-53":["AC-3(4)","AC-6","CM-6(b)"],"CIS Recommendation":["6.1.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714167328" onclick="return openRuleDetailsDialog('idm46336714167328')">Ensure All Files Are Owned by a User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Programs from Dangerous Execution Patterns<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Enable ExecShield<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_enable_execshield_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-overview-leaf-idm46336714140560" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92521r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-040201"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30(2)"],"CIS Recommendation":["1.5.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336714140560" onclick="return openRuleDetailsDialog('idm46336714140560')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Partition Mount Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_partitions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-overview-leaf-idm46336714117104" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86665r3_rule"],"DISA STIG":["RHEL-07-021000"],"NIST SP 800-53":["CM-7","MP-2"],"CIS Recommendation":["1.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714117104" onclick="return openRuleDetailsDialog('idm46336714117104')">Add nosuid Option to /home</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-overview-leaf-idm46336714108880" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86667r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021010"],"NIST SP 800-53":["AC-6","AC-19(a)","AC-19(d)","AC-19(e)","CM-7","MP-2"],"CIS Recommendation":["1.1.19"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714108880" onclick="return openRuleDetailsDialog('idm46336714108880')">Add nosuid Option to Removable Media Partitions</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Dynamic Mounting and Unmounting of Filesystems<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" id="rule-overview-leaf-idm46336714083168" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86607r2_rule"],"DISA CCI":["CCI-000366","CCI-000778","CCI-001958"],"DISA SRG":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-0016","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020100"],"NIST SP 800-171":["3.1.21"],"NIST SP 800-53":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"],"HIPAA":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.310(d)(1)","164.310(d)(2)","164.312(a)(1)","164.312(a)(2)(iv)","164.312(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714083168" onclick="return openRuleDetailsDialog('idm46336714083168')">Disable Modprobe Loading of USB Storage Driver</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-overview-leaf-idm46336714055344" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86609r1_rule"],"DISA CCI":["CCI-000366","CCI-000778","CCI-001958"],"DISA SRG":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-00163","SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020110"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"],"CIS Recommendation":["1.1.22"],"HIPAA":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.310(d)(1)","164.310(d)(2)","164.312(a)(1)","164.312(a)(2)(iv)","164.312(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714055344" onclick="return openRuleDetailsDialog('idm46336714055344')">Disable the Automounter</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with <tt>auditd</tt></strong> <span class="badge">2x error</span> <span class="badge">4x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure <tt>auditd</tt> Data Retention</strong> <span class="badge">4x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" id="rule-overview-leaf-idm46336714043808" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86709r1_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030310"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714043808" onclick="return openRuleDetailsDialog('idm46336714043808')">Encrypt Audit Records Sent With audispd Plugin</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" id="rule-overview-leaf-idm46336714040944" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86707r1_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030300"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714040944" onclick="return openRuleDetailsDialog('idm46336714040944')">Configure audispd Plugin To Send Logs To Remote Server</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" id="rule-overview-leaf-idm46336714037600" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87815r2_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030321"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714037600" onclick="return openRuleDetailsDialog('idm46336714037600')">Configure audispd's Plugin network_failure_action On Network Failure</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" id="rule-overview-leaf-idm46336714029600" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86713r1_rule"],"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"DISA STIG":["RHEL-07-030330"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(b)","IR-5"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714029600" onclick="return openRuleDetailsDialog('idm46336714029600')">Configure auditd space_left on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-overview-leaf-idm46336714024208" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86717r2_rule"],"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"DISA STIG":["RHEL-07-030350"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(1)","AU-5(a)","IR-5"],"CIS Recommendation":["5.2.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"],"PCI-DSS Requirement":["Req-10.7.a"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714024208" onclick="return openRuleDetailsDialog('idm46336714024208')">Configure auditd mail_acct Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" id="rule-overview-leaf-idm46336714019136" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"DISA CCI":["CCI-001855"],"DISA SRG":["SRG-OS-000343-GPOS-00134"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-1(b)","AU-4","AU-5(1)","AU-5(b)","IR-5"],"CIS Recommendation":["5.2.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"],"PCI-DSS Requirement":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714019136" onclick="return openRuleDetailsDialog('idm46336714019136')">Configure auditd space_left Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" id="rule-overview-leaf-idm46336714004880" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86711r2_rule"],"DISA CCI":["CCI-001851"],"DISA SRG":["SRG-OS-000342-GPOS-00133"],"DISA STIG":["RHEL-07-030320"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336714004880" onclick="return openRuleDetailsDialog('idm46336714004880')">Configure audispd's Plugin disk_full_action When Disk Is Full</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure <tt>auditd</tt> Rules for Comprehensive Auditing</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Information on Kernel Modules Loading and Unloading<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_kernel_module_loading");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" id="rule-overview-leaf-idm46336713995024" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86817r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713995024" onclick="return openRuleDetailsDialog('idm46336713995024')">Ensure auditd Collects Information on Kernel Module Unloading - rmmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" id="rule-overview-leaf-idm46336713970336" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86813r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030830"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713970336" onclick="return openRuleDetailsDialog('idm46336713970336')">Ensure auditd Collects Information on Kernel Module Unloading - delete_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" id="rule-overview-leaf-idm46336713986304" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86819r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030860"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713986304" onclick="return openRuleDetailsDialog('idm46336713986304')">Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="rule-overview-leaf-idm46336713961840" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93707r1_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030821"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713961840" onclick="return openRuleDetailsDialog('idm46336713961840')">Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" id="rule-overview-leaf-idm46336713946960" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86815r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030840"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713946960" onclick="return openRuleDetailsDialog('idm46336713946960')">Ensure auditd Collects Information on Kernel Module Loading - insmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" id="rule-overview-leaf-idm46336713967728" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93705r1_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030819"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713967728" onclick="return openRuleDetailsDialog('idm46336713967728')">Ensure auditd Collects Information on Kernel Module Loading - create_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="rule-overview-leaf-idm46336713917920" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86811r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000471-GPOS-00216","SRG-OS-000477-GPOS-00222"],"DISA STIG":["RHEL-07-030820"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.17"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713917920" onclick="return openRuleDetailsDialog('idm46336713917920')">Ensure auditd Collects Information on Kernel Module Loading - init_module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Attempts to Alter Logon and Logout Events<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_login_events");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-overview-leaf-idm46336713894528" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86771r2_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030620"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713894528" onclick="return openRuleDetailsDialog('idm46336713894528')">Record Attempts to Alter Logon and Logout Events - lastlog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-overview-leaf-idm46336713932096" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86769r3_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030610"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713932096" onclick="return openRuleDetailsDialog('idm46336713932096')">Record Attempts to Alter Logon and Logout Events - faillock</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-overview-leaf-idm46336713880896" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86767r2_rule"],"DISA CCI":["CCI-000172","CCI-002884","CCI-000126"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"DISA STIG":["RHEL-07-030600"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713880896" onclick="return openRuleDetailsDialog('idm46336713880896')">Record Attempts to Alter Logon and Logout Events - tallylog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Events that Modify the System's Discretionary Access Controls<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_dac_actions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" id="rule-overview-leaf-idm46336713847312" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86723r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030380"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713847312" onclick="return openRuleDetailsDialog('idm46336713847312')">Record Events that Modify the System's Discretionary Access Controls - fchown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" id="rule-overview-leaf-idm46336713842288" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86735r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030440"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713842288" onclick="return openRuleDetailsDialog('idm46336713842288')">Record Events that Modify the System's Discretionary Access Controls - setxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-overview-leaf-idm46336713817312" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86721r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030370"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713817312" onclick="return openRuleDetailsDialog('idm46336713817312')">Record Events that Modify the System's Discretionary Access Controls - chown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" id="rule-overview-leaf-idm46336713802224" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86739r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030460"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713802224" onclick="return openRuleDetailsDialog('idm46336713802224')">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-overview-leaf-idm46336713787072" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86729r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030410"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713787072" onclick="return openRuleDetailsDialog('idm46336713787072')">Record Events that Modify the System's Discretionary Access Controls - chmod</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" id="rule-overview-leaf-idm46336713771728" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86733r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030430"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713771728" onclick="return openRuleDetailsDialog('idm46336713771728')">Record Events that Modify the System's Discretionary Access Controls - fchmodat</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" id="rule-overview-leaf-idm46336713756800" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86741r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030470"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713756800" onclick="return openRuleDetailsDialog('idm46336713756800')">Record Events that Modify the System's Discretionary Access Controls - removexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" id="rule-overview-leaf-idm46336713741920" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86743r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030480"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713741920" onclick="return openRuleDetailsDialog('idm46336713741920')">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" id="rule-overview-leaf-idm46336713726688" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86727r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030400"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713726688" onclick="return openRuleDetailsDialog('idm46336713726688')">Record Events that Modify the System's Discretionary Access Controls - fchownat</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" id="rule-overview-leaf-idm46336713711776" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86731r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030420"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713711776" onclick="return openRuleDetailsDialog('idm46336713711776')">Record Events that Modify the System's Discretionary Access Controls - fchmod</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" id="rule-overview-leaf-idm46336713696656" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86745r3_rule"],"DISA CCI":["CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030490"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713696656" onclick="return openRuleDetailsDialog('idm46336713696656')">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" id="rule-overview-leaf-idm46336713681648" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86737r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203"],"DISA STIG":["RHEL-07-030450"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713681648" onclick="return openRuleDetailsDialog('idm46336713681648')">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" id="rule-overview-leaf-idm46336713666896" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86725r3_rule"],"DISA CCI":["CCI-000126","CCI-000172"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000392-GPOS-00172","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"DISA STIG":["RHEL-07-030390"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713666896" onclick="return openRuleDetailsDialog('idm46336713666896')">Record Events that Modify the System's Discretionary Access Controls - lchown</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Execution Attempts to Run SELinux Privileged Commands<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_execution_selinux_commands");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-overview-leaf-idm46336713651424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86765r4_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030590"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713651424" onclick="return openRuleDetailsDialog('idm46336713651424')">Record Any Attempts to Run setfiles</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-overview-leaf-idm46336713634224" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86761r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030570"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713634224" onclick="return openRuleDetailsDialog('idm46336713634224')">Record Any Attempts to Run setsebool</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-overview-leaf-idm46336713829440" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86759r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030560"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713829440" onclick="return openRuleDetailsDialog('idm46336713829440')">Record Any Attempts to Run semanage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-overview-leaf-idm46336713833408" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86763r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"DISA STIG":["RHEL-07-030580"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713833408" onclick="return openRuleDetailsDialog('idm46336713833408')">Record Any Attempts to Run chcon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record File Deletion Events by User<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_file_deletion_events");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" id="rule-overview-leaf-idm46336713590384" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86827r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713590384" onclick="return openRuleDetailsDialog('idm46336713590384')">Ensure auditd Collects File Deletion Events by User - rmdir</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" id="rule-overview-leaf-idm46336713616672" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86831r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030920"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713616672" onclick="return openRuleDetailsDialog('idm46336713616672')">Ensure auditd Collects File Deletion Events by User - unlinkat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" id="rule-overview-leaf-idm46336713620352" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86823r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030880"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713620352" onclick="return openRuleDetailsDialog('idm46336713620352')">Ensure auditd Collects File Deletion Events by User - rename</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" id="rule-overview-leaf-idm46336713567152" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86825r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030890"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713567152" onclick="return openRuleDetailsDialog('idm46336713567152')">Ensure auditd Collects File Deletion Events by User - renameat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" id="rule-overview-leaf-idm46336713569424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_deletion_events" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86829r3_rule"],"DISA CCI":["CCI-000366","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00210","SRG-OS-000468-GPOS-00212","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5","MA-4(1)(a)"],"CIS Recommendation":["5.2.14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713569424" onclick="return openRuleDetailsDialog('idm46336713569424')">Ensure auditd Collects File Deletion Events by User - unlink</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on the Use of Privileged Commands</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" id="rule-overview-leaf-idm46336713512704" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86797r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030750"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713512704" onclick="return openRuleDetailsDialog('idm46336713512704')">Ensure auditd Collects Information on the Use of Privileged Commands - umount</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" id="rule-overview-leaf-idm46336713497248" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86773r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030630"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713497248" onclick="return openRuleDetailsDialog('idm46336713497248')">Ensure auditd Collects Information on the Use of Privileged Commands - passwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" id="rule-overview-leaf-idm46336713482592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86801r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030770"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713482592" onclick="return openRuleDetailsDialog('idm46336713482592')">Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" id="rule-overview-leaf-idm46336713468048" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86779r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030660"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713468048" onclick="return openRuleDetailsDialog('idm46336713468048')">Ensure auditd Collects Information on the Use of Privileged Commands - chage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336713452976" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86719r5_rule"],"DISA CCI":["CCI-002234"],"DISA SRG":["SRG-OS-000327-GPOS-00127"],"DISA STIG":["RHEL-07-030360"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-2(4)","AU-6(9)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"FBI CJIS":["5.4.1.1"],"PCI-DSS Requirement":["Req-10.2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713452976" onclick="return openRuleDetailsDialog('idm46336713452976')">Ensure auditd Collects Information on the Use of Privileged Commands</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" id="rule-overview-leaf-idm46336713426064" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86781r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030670"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713426064" onclick="return openRuleDetailsDialog('idm46336713426064')">Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" id="rule-overview-leaf-idm46336713538864" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86803r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030780"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713538864" onclick="return openRuleDetailsDialog('idm46336713538864')">Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" id="rule-overview-leaf-idm46336713419360" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86793r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030730"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713419360" onclick="return openRuleDetailsDialog('idm46336713419360')">Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" id="rule-overview-leaf-idm46336713388560" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86783r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030680"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713388560" onclick="return openRuleDetailsDialog('idm46336713388560')">Ensure auditd Collects Information on the Use of Privileged Commands - su</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" id="rule-overview-leaf-idm46336713377424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86809r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030810"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713377424" onclick="return openRuleDetailsDialog('idm46336713377424')">Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-overview-leaf-idm46336713401584" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86785r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030690"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713401584" onclick="return openRuleDetailsDialog('idm46336713401584')">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" id="rule-overview-leaf-idm46336713407360" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86789r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030710"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713407360" onclick="return openRuleDetailsDialog('idm46336713407360')">Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" id="rule-overview-leaf-idm46336713332848" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86807r2_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030800"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713332848" onclick="return openRuleDetailsDialog('idm46336713332848')">Ensure auditd Collects Information on the Use of Privileged Commands - crontab</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" id="rule-overview-leaf-idm46336713318016" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86777r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030650"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713318016" onclick="return openRuleDetailsDialog('idm46336713318016')">Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" id="rule-overview-leaf-idm46336713303184" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86775r4_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030640"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713303184" onclick="return openRuleDetailsDialog('idm46336713303184')">Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" id="rule-overview-leaf-idm46336713356768" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86799r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030760"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713356768" onclick="return openRuleDetailsDialog('idm46336713356768')">Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" id="rule-overview-leaf-idm46336713362736" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86791r3_rule"],"DISA CCI":["CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030720"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-3(1)","AU-12(c)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713362736" onclick="return openRuleDetailsDialog('idm46336713362736')">Ensure auditd Collects Information on the Use of Privileged Commands - chsh</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px">Record Unauthorized Access Attempts Events to Files (unsuccessful)<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" id="rule-overview-leaf-idm46336713258800" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86753r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030530"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713258800" onclick="return openRuleDetailsDialog('idm46336713258800')">Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" id="rule-overview-leaf-idm46336713282656" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86749r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030510"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713282656" onclick="return openRuleDetailsDialog('idm46336713282656')">Record Unauthorized Access Attempts to Files (unsuccessful) - open</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" id="rule-overview-leaf-idm46336713286336" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86747r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030500"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713286336" onclick="return openRuleDetailsDialog('idm46336713286336')">Record Unauthorized Access Attempts to Files (unsuccessful) - creat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" id="rule-overview-leaf-idm46336713241328" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86757r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030550"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713241328" onclick="return openRuleDetailsDialog('idm46336713241328')">Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" id="rule-overview-leaf-idm46336713229632" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86755r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030540"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713229632" onclick="return openRuleDetailsDialog('idm46336713229632')">Record Unauthorized Access Attempts to Files (unsuccessful) - truncate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" id="rule-overview-leaf-idm46336713235472" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86751r3_rule"],"DISA CCI":["CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030520"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.10"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336713235472" onclick="return openRuleDetailsDialog('idm46336713235472')">Record Unauthorized Access Attempts to Files (unsuccessful) - openat</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" id="rule-overview-leaf-idm46336713110544" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87823r3_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030873"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713110544" onclick="return openRuleDetailsDialog('idm46336713110544')">Record Events that Modify User/Group Information - /etc/shadow</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" id="rule-overview-leaf-idm46336713130800" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87819r3_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030872"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713130800" onclick="return openRuleDetailsDialog('idm46336713130800')">Record Events that Modify User/Group Information - /etc/gshadow</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_media_export" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_media_export" id="rule-overview-leaf-idm46336713142880" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86795r5_rule"],"DISA CCI":["CCI-000135","CCI-002884"],"DISA SRG":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172"],"DISA STIG":["RHEL-07-030740"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-3(1)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.13"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713142880" onclick="return openRuleDetailsDialog('idm46336713142880')">Ensure auditd Collects Information on Exporting to Media (successful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" id="rule-overview-leaf-idm46336713056000" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87825r4_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030874"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713056000" onclick="return openRuleDetailsDialog('idm46336713056000')">Record Events that Modify User/Group Information - /etc/security/opasswd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-overview-leaf-idm46336713038528" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86787r4_rule"],"DISA CCI":["CCI-000126","CCI-000130","CCI-000135","CCI-000172","CCI-002884"],"DISA SRG":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215"],"DISA STIG":["RHEL-07-030700"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(7)(b)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","iAU-3(1)","AU-12(a)","AU-12(c)","IR-5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.2","Req-10.2.5.b"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713038528" onclick="return openRuleDetailsDialog('idm46336713038528')">Ensure auditd Collects System Administrator Actions</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" id="rule-overview-leaf-idm46336713034784" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86705r3_rule"],"DISA CCI":["CCI-000139"],"DISA SRG":["SRG-OS-000046-GPOS-00022","SRG-OS-000047-GPOS-00023"],"DISA STIG":["RHEL-07-030010"],"NIST SP 800-171":["3.3.1","3.3.4"],"NIST SP 800-53":["AU-5","AU-5(a)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713034784" onclick="return openRuleDetailsDialog('idm46336713034784')">Shutdown System When Auditing Failures Occur</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-overview-leaf-idm46336713062336" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86821r4_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000476-GPOS-00221"],"DISA STIG":["RHEL-07-030870"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713062336" onclick="return openRuleDetailsDialog('idm46336713062336')">Record Events that Modify User/Group Information - /etc/passwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" id="rule-overview-leaf-idm46336713016640" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87817r2_rule"],"DISA CCI":["CCI-000018","CCI-000172","CCI-001403","CCI-002130"],"DISA SRG":["SRG-OS-000004-GPOS-00004"],"DISA STIG":["RHEL-07-030871"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"CIS Recommendation":["5.2.5"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336713016640" onclick="return openRuleDetailsDialog('idm46336713016640')">Record Events that Modify User/Group Information - /etc/group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336713011568" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86703r2_rule"],"DISA CCI":["CCI-000126","CCI-000131"],"DISA SRG":["SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000042-GPOS-00021","SRG-OS-000254-GPOS-00095","SRG-OS-000255-GPOS-00096"],"DISA STIG":["RHEL-07-030000"],"NIST SP 800-171":["3.3.1","3.3.2","3.3.6"],"NIST SP 800-53":["AU-3","AC-17(1)","AU-1(b)","AU-10","AU-12(a)","AU-12(c)","AU-14(1)","IR-5"],"CIS Recommendation":["4.1.2"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(C)","164.310(a)(2)(iv)","164.310(d)(2)(iii)","164.312(b)"],"PCI-DSS Requirement":["Req-10"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46336713011568" onclick="return openRuleDetailsDialog('idm46336713011568')">Enable auditd Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">3x fail</span> <span class="badge">1x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Disk Partitioning<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disk_partitioning");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idm46336712984736" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86683r1_rule"],"DISA CCI":["CCI-000366","CCI-001208"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021310"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.13"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712984736" onclick="return openRuleDetailsDialog('idm46336712984736')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-overview-leaf-idm46336712979024" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86685r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021320"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712979024" onclick="return openRuleDetailsDialog('idm46336712979024')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_tmp" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-overview-leaf-idm46336712975136" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86689r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021340"],"NIST SP 800-53":["SC-32(1)"],"CIS Recommendation":["1.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712975136" onclick="return openRuleDetailsDialog('idm46336712975136')">Ensure /tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-overview-leaf-idm46336712971248" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86687r5_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021330"],"NIST SP 800-53":["AU-4","AU-9","SC-32(1)"],"CIS Recommendation":["1.1.12"],"HIPAA":["164.312(a)(2)(ii)"],"ISO 27001-2013":["A.12.3.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712971248" onclick="return openRuleDetailsDialog('idm46336712971248')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Sudo<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_sudo");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm46336712962976" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86573r2_rule"],"DISA CCI":["CCI-002038"],"DISA SRG":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"DISA STIG":["RHEL-07-010350"],"NIST SP 800-53":["IA-11"],"ANSSI":["NT28(R5)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712962976" onclick="return openRuleDetailsDialog('idm46336712962976')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-overview-leaf-idm46336712959008" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86571r2_rule"],"DISA CCI":["CCI-002038"],"DISA SRG":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"DISA STIG":["RHEL-07-010340"],"NIST SP 800-53":["IA-11"],"ANSSI":["NT28(R5)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712959008" onclick="return openRuleDetailsDialog('idm46336712959008')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System and Software Integrity</strong> <span class="badge">2x fail</span> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_certified-vendor" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_certified-vendor" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Operating System Vendor Support and Certification<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_certified-vendor");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_installed_OS_is_certified" id="rule-overview-leaf-idm46336712955120" data-tt-parent-id="xccdf_org.ssgproject.content_group_certified-vendor" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86621r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020250"],"NIST SP 800-53":["SI-2(c)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712955120" onclick="return openRuleDetailsDialog('idm46336712955120')">The Installed Operating System Is Vendor Supported and Certified</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Federal Information Processing Standard (FIPS)</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm46336712949344" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86691r3_rule"],"DISA CCI":["CCI-000068","CCI-002450"],"DISA SRG":["SRG-OS-000033-GPOS-00014","SRG-OS-000396-GPOS-00176","SRG-OS-000478-GPOS-00223"],"DISA STIG":["RHEL-07-021350"],"NIST SP 800-171":["3.13.8","3.13.11"],"NIST SP 800-53":["AC-17(2)"],"FBI CJIS":["5.10.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712949344" onclick="return openRuleDetailsDialog('idm46336712949344')">Enable FIPS Mode in GRUB2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_endpoint_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_endpoint_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Endpoint Protection Software</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mcafee_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mcafee_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_endpoint_security_software"><td colspan="3" style="padding-left: 95px"><strong>McAfee Endpoint Security Software</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712923968" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86839r2_rule"],"DISA CCI":["CCI-000366","CCI-001239","CCI-001668"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-032010"],"NIST SP 800-53":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712923968" onclick="return openRuleDetailsDialog('idm46336712923968')">Virus Scanning Software Definitions Are Updated</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712919088" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86837r2_rule"],"DISA CCI":["CCI-000366","CCI-001239","CCI-001668"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-032000"],"NIST SP 800-53":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712919088" onclick="return openRuleDetailsDialog('idm46336712919088')">Install McAfee Virus Scanning Software</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Software Integrity Checking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_software-integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with RPM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rpm_verification");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-overview-leaf-idm46336712908304" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86473r2_rule"],"DISA CCI":["CCI-001494","CCI-001496"],"DISA SRG":["SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"DISA STIG":["RHEL-07-010010"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["AC-6","AU-9(1)","AU-9(3)","CM-6(d)","CM-6(3)"],"CIS Recommendation":["1.2.6","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.3"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712908304" onclick="return openRuleDetailsDialog('idm46336712908304')">Verify and Correct File Permissions with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-overview-leaf-idm46336712904352" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"DISA CCI":["CCI-001494","CCI-001496"],"DISA SRG":["SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"DISA STIG":["RHEL-07-TBD"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["AC-6","AU-9(1)","AU-9(3)","CM-6(d)","CM-6(3)"],"CIS Recommendation":["1.2.6","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.3"],"FBI CJIS":["5.10.4.1"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712904352" onclick="return openRuleDetailsDialog('idm46336712904352')">Verify and Correct Ownership with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-overview-leaf-idm46336712900464" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86479r2_rule"],"DISA CCI":["CCI-000663"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-010020"],"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(3)","SI-7(1)"],"CIS Recommendation":["1.2.6"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712900464" onclick="return openRuleDetailsDialog('idm46336712900464')">Verify File Hashes with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with AIDE<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_aide");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-overview-leaf-idm46336712896576" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"NIST SP 800-53":["CM-3(d)","CM-3(e)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"CIS Recommendation":["1.3.1"],"FBI CJIS":["5.10.1.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712896576" onclick="return openRuleDetailsDialog('idm46336712896576')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-overview-leaf-idm46336712892672" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86695r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021610"],"NIST SP 800-53":["SI-7.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712892672" onclick="return openRuleDetailsDialog('idm46336712892672')">Configure AIDE to Verify Extended Attributes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_verify_acls" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-overview-leaf-idm46336712887072" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86693r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021600"],"NIST SP 800-53":["SI-7.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712887072" onclick="return openRuleDetailsDialog('idm46336712887072')">Configure AIDE to Verify Access Control Lists (ACLs)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" id="rule-overview-leaf-idm46336712874832" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86697r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-021620"],"NIST SP 800-171":["3.13.11"],"NIST SP 800-53":["SI-7(1)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712874832" onclick="return openRuleDetailsDialog('idm46336712874832')">Configure AIDE to Use FIPS 140-2 for Validating Hashes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_scan_notification" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-overview-leaf-idm46336712876864" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86599r1_rule"],"DISA CCI":["CCI-001744"],"DISA SRG":["SRG-OS-000363-GPOS-00150"],"DISA STIG":["RHEL-07-020040"],"NIST SP 800-53":["CM-3(5)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712876864" onclick="return openRuleDetailsDialog('idm46336712876864')">Configure Notification of Post-AIDE Scan Details</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-overview-leaf-idm46336712858480" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86597r1_rule"],"DISA CCI":["CCI-001744"],"DISA SRG":["SRG-OS-000363-GPOS-00150"],"DISA STIG":["RHEL-07-020030"],"NIST SP 800-53":["CM-3(d)","CM-3(e)","CM-3(5)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"CIS Recommendation":["1.3.2"],"FBI CJIS":["5.10.1.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46336712858480" onclick="return openRuleDetailsDialog('idm46336712858480')">Configure Periodic Execution of AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm46336712846512" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86623r3_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00227"],"DISA STIG":["RHEL-07-020260"],"NIST SP 800-53":["SI-2","SI-2(c)","MA-1(b)"],"CIS Recommendation":["1.8"],"FBI CJIS":["5.10.4.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712846512" onclick="return openRuleDetailsDialog('idm46336712846512')">Ensure Software Patches Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46336712839984" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86605r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020070"],"NIST SP 800-53":["CM-5(3)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712839984" onclick="return openRuleDetailsDialog('idm46336712839984')">Ensure gpgcheck Enabled for Repository Metadata</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_clean_components_post_updating" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-overview-leaf-idm46336712836016" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86611r1_rule"],"DISA CCI":["CCI-002617"],"DISA SRG":["SRG-OS-000437-GPOS-00194"],"DISA STIG":["RHEL-07-020200"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["SI-2(6)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712836016" onclick="return openRuleDetailsDialog('idm46336712836016')">Ensure YUM Removes Previous Package Versions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm46336712817408" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86601r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020050"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","MA-1(b)"],"CIS Recommendation":["1.2.2"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712817408" onclick="return openRuleDetailsDialog('idm46336712817408')">Ensure gpgcheck Enabled In Main Yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-overview-leaf-idm46336712827936" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86603r1_rule"],"DISA CCI":["CCI-001749"],"DISA SRG":["SRG-OS-000366-GPOS-00153"],"DISA STIG":["RHEL-07-020060"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46336712827936" onclick="return openRuleDetailsDialog('idm46336712827936')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">GNOME Desktop Environment<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">Configure GNOME Screen Locking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_screen_locking");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" id="rule-overview-leaf-idm46336712816080" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87809r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-00029-GPOS-0010"],"DISA STIG":["RHEL-07-010082"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712816080" onclick="return openRuleDetailsDialog('idm46336712816080')">Ensure Users Cannot Change GNOME3 Session Idle Settings</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" id="rule-overview-leaf-idm46336712812288" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["OS-SRG-000029-GPOS-00010"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86525r2_rule"],"DISA CCI":["CCI-000056"],"DISA STIG":["RHEL-07-010110"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712812288" onclick="return openRuleDetailsDialog('idm46336712812288')">Set GNOME3 Screensaver Lock Delay After Activation Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" id="rule-overview-leaf-idm46336712801968" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-87807r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-00029-GPOS-0010"],"DISA STIG":["RHEL-07-010081"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712801968" onclick="return openRuleDetailsDialog('idm46336712801968')">Ensure Users Cannot Change GNOME3 Screensaver Settings</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-overview-leaf-idm46336712796224" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86523r3_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010100"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712796224" onclick="return openRuleDetailsDialog('idm46336712796224')">Enable GNOME3 Screensaver Idle Activation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" id="rule-overview-leaf-idm46336712790592" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86517r4_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010070"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712790592" onclick="return openRuleDetailsDialog('idm46336712790592')">Set GNOME3 Screensaver Inactivity Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" id="rule-overview-leaf-idm46336712785776" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93701r1_rule"],"DISA CCI":["CCI-000056"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010062"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(b)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712785776" onclick="return openRuleDetailsDialog('idm46336712785776')">Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-overview-leaf-idm46336712776256" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["OS-SRG-000030-GPOS-00011"],"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86515r4_rule"],"DISA CCI":["CCI-000056"],"DISA SRG":["SRG-OS-000028-GPOS-00009"],"DISA STIG":["RHEL-07-010060"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(b)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712776256" onclick="return openRuleDetailsDialog('idm46336712776256')">Enable GNOME3 Screensaver Lock After Idle Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" id="rule-overview-leaf-idm46336712771440" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-93703r1_rule"],"DISA CCI":["CCI-000057"],"DISA SRG":["SRG-OS-000029-GPOS-00010"],"DISA STIG":["RHEL-07-010101"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["AC-11(a)"],"FBI CJIS":["5.5.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712771440" onclick="return openRuleDetailsDialog('idm46336712771440')">Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_login_screen" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_login_screen" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">Configure GNOME Login Screen<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_login_screen");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-overview-leaf-idm46336712743024" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-92515r1_rule"],"DISA CCI":["CCI-000765","CCI-000766","CCI-000767","CCI-000768","CCI-000771","CCI-000772","CCI-000884","CCI-001954"],"DISA SRG":["SRG-OS-000375-GPOS-00160"],"DISA STIG":["RHEL-07-010061"],"PCI-DSS Requirement":["Req-8.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712743024" onclick="return openRuleDetailsDialog('idm46336712743024')">Enable the GNOME3 Login Smartcard Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-overview-leaf-idm46336712734704" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86577r1_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010440"],"NIST SP 800-171":["3.1.1"],"NIST SP 800-53":["CM-6(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712734704" onclick="return openRuleDetailsDialog('idm46336712734704')">Disable GDM Automatic Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-overview-leaf-idm46336712723840" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx":["SV-86579r2_rule"],"DISA CCI":["CCI-000366"],"DISA SRG":["SRG-OS-000480-GPOS-00229"],"DISA STIG":["RHEL-07-010450"],"NIST SP 800-171":["3.1.1"],"NIST SP 800-53":["CM-6(b)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46336712723840" onclick="return openRuleDetailsDialog('idm46336712723840')">Disable GDM Guest Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_host_based_files" id="rule-detail-idm46336716330976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_host_based_files highCCE-80513-5 </div><div class="panel-heading"><h3 class="panel-title">Remove Host-Based Authentication Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_host_based_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:26</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80513-5">CCE-80513-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>shosts.equiv</code> file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: <pre>$ sudo rm /[path]/[to]/[file]/shosts.equiv</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files" id="rule-detail-idm46336716324560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove User Host-Based Authentication Filesxccdf_org.ssgproject.content_rule_no_user_host_based_files highCCE-80514-3 </div><div class="panel-heading"><h3 class="panel-title">Remove User Host-Based Authentication Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_user_host_based_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80514-3">CCE-80514-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>~/.shosts</code> (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: <pre>$ sudo rm ~/.shosts</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm46336716320592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-27342-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27342-5">CCE-27342-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsh-server</code> package can be uninstalled with the following command: <pre>$ sudo yum erase rsh-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rsh-server</code> service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm46336716309104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-27165-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27165-0">CCE-27165-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>telnet-server</code> package can be uninstalled with the following command: <pre>$ sudo yum erase telnet-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors. <br> The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. <br> Removing the <code>telnet-server</code> package decreases the risk of the telnet service's accidental (or intentional) activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-detail-idm46336716300096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-27399-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall ypserv Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypserv_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27399-5">CCE-27399-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86593r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.16</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ypserv</code> package can be uninstalled with the following command: <pre>$ sudo yum erase ypserv</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the <code>ypserv</code> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-detail-idm46336716291120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-80213-2 </div><div class="panel-heading"><h3 class="panel-title">Uninstall tftp-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80213-2">CCE-80213-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86925r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>tftp-server</code> package can be removed with the following command: <pre>$ sudo yum erase tftp-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Removing the <code>tftp-server</code> package decreases the risk of the accidental (or intentional) activation of tftp services. <br><br> If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-detail-idm46336716287152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode mediumCCE-80214-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure tftp Daemon Uses Secure Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80214-0">CCE-80214-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86929r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If running the <code>tftp</code> service is necessary, it should be configured to change its root directory at startup. To do so, ensure <code>/etc/xinetd.d/tftp</code> includes <code>-s</code> as a command line argument, as shown in the following example (which is also the default): <pre>server_args = -s /var/lib/tftpboot</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using the <code>-s</code> option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-detail-idm46336716249152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-80245-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall vsftpd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_vsftpd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80245-4">CCE-80245-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86923r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>vsftpd</code> package can be removed with the following command: <pre>$ sudo yum erase vsftpd</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Removing the vsftpd package decreases the risk of its accidental activation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-detail-idm46336716242704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Default SNMP Password Is Not Usedxccdf_org.ssgproject.content_rule_snmpd_not_default_password highCCE-27386-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Default SNMP Password Is Not Used</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_not_default_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27386-2">CCE-27386-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040800</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86937r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5.1(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of <code>public</code> and <code>private</code>. Once the default community strings have been changed, restart the SNMP service: <pre>$ sudo service snmpd restart</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s).</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" id="rule-detail-idm46336716233696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Group Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_groupowner_cron_allow mediumCCE-80379-1 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns /etc/cron.allow file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80379-1">CCE-80379-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021120</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86679r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chgrp root /etc/cron.allow</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_cron_allow" id="rule-detail-idm46336716229728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify User Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_owner_cron_allow mediumCCE-80378-3 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns /etc/cron.allow file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_cron_allow</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80378-3">CCE-80378-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86677r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chown root /etc/cron.allow </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-detail-idm46336716215728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove the X Windows Package Groupxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed mediumCCE-27218-7 </div><div class="panel-heading"><h3 class="panel-title">Remove the X Windows Package Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27218-7">CCE-27218-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86931r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a <code>graphical.target</code> mode. To do so, run the following command: <pre>$ sudo yum groupremove "X Window System"</pre> <pre>$ sudo yum remove xorg-x11-server-common</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" id="rule-detail-idm46336716008032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend Client CA Certificate Locationxccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir mediumCCE-80515-0 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend Client CA Certificate Location</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80515-0">CCE-80515-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040190</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86853r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacertdir</pre> option in <pre>/etc/sssd/sssd.conf</pre> to point to the path for the X.509 certificates used for peer authentication. <pre>ldap_tls_cacertdir /path/to/tls/cacert</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. <br><br> Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" id="rule-detail-idm46336716002768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend to Use TLS For All Transactionsxccdf_org.ssgproject.content_rule_sssd_ldap_start_tls mediumCCE-80546-5 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend to Use TLS For All Transactions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80546-5">CCE-80546-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040180</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86851r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions. <br><br> To determine if LDAP is being used for authentication, use the following command: <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre> <br><br> If <code>USELDAPAUTH=yes</code>, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: <pre>$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" id="rule-detail-idm46336715997088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD LDAP Backend Client CA Certificatexccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca mediumCCE-80516-8 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD LDAP Backend Client CA Certificate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:27</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80516-8">CCE-80516-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86855r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the <pre>ldap_tls_cacert</pre> option in <pre>/etc/sssd/sssd.conf</pre> to point to the path for the X.509 certificates used for peer authentication. <pre>ldap_tls_cacert /path/to/tls/ca.cert</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. <br><br> Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" id="rule-detail-idm46336715991328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure PAM in SSSD Servicesxccdf_org.ssgproject.content_rule_sssd_enable_pam_services mediumCCE-80437-7 </div><div class="panel-heading"><h3 class="panel-title">Configure PAM in SSSD Services</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_enable_pam_services</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80437-7">CCE-80437-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041002</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87051r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001948</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001953</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(11)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00161</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00162</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSSD should be configured to run SSSD <code>pam</code> services. To configure SSSD to known SSH hosts, add <code>pam</code> to <code>services</code> under the <code>[sssd]</code> section in <code>/etc/sssd/sssd.conf</code>. For example: <pre>[sssd] services = sudo, autofs, pam </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" id="rule-detail-idm46336715966816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll unknownCCE-80439-3 </div><div class="panel-heading"><h3 class="panel-title">Configure Time Service Maxpoll Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80439-3">CCE-80439-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86893r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001891</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002046</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000355-GPOS-00143</a>, <a href="">SRG-OS-000356-GPOS-00144</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>maxpoll</code> should be configured to <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll">10</abbr> in <code>/etc/ntp.conf</code> or <code>/etc/chrony.conf</code> to continuously poll time servers. To configure <code>maxpoll</code> in <code>/etc/ntp.conf</code> or <code>/etc/chrony.conf</code> add the following: <pre>maxpoll <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll">10</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_kdump_disabled" id="rule-detail-idm46336715902496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-80258-7 </div><div class="panel-heading"><h3 class="panel-title">Disable KDump Kernel Crash Analyzer (kdump)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_kdump_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80258-7">CCE-80258-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86681r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The <code>kdump</code> service can be disabled with the following command: <pre>$ sudo systemctl disable kdump.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. Removed /etc/systemd/system/multi-user.target.wants/kdump.service. Running in chroot, ignoring request. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336736182512">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736182512"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" stop 'kdump.service' "$SYSTEMCTL_EXEC" disable 'kdump.service' # Disable socket activation if we have a unit file for it "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^kdump.socket\>' && "$SYSTEMCTL_EXEC" disable 'kdump.socket' # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. "$SYSTEMCTL_EXEC" reset-failed 'kdump.service' </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336736161248">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736161248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable service kdump service: name: "{{item}}" enabled: "no" state: "stopped" register: service_result failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)" with_items: - kdump tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 - name: Disable socket of service kdump if applicable service: name: "{{item}}" enabled: "no" state: "stopped" register: socket_result failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)" with_items: - kdump.socket tags: - service_kdump_disabled - medium_severity - disable_strategy - low_complexity - low_disruption - CCE-80258-7 - NIST-800-53-AC-17(8) - NIST-800-53-CM-7 - NIST-800-53-CM-6(b) - DISA-STIG-RHEL-07-021300 </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Anaconda snippet:</span>   <a data-toggle="collapse" data-target="#idm46336736176048">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336736176048"><pre><code> kdump --disable </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" id="rule-detail-idm46336715876112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Unrestricted Mail Relayingxccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay mediumCCE-80512-7 </div><div class="panel-heading"><h3 class="panel-title">Prevent Unrestricted Mail Relaying</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80512-7">CCE-80512-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86921r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Modify the <pre>/etc/postfix/main.cf</pre> file to restrict client connections to the local network with the following command: <pre>$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-detail-idm46336715816192"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with Kerberos Securityxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems mediumCCE-27458-9 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with Kerberos Security</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27458-9">CCE-27458-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040750</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86935r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-14(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" id="rule-detail-idm46336715812208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with noexecxccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems mediumCCE-80436-9 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with noexec</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80436-9">CCE-80436-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021021</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87813r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-detail-idm46336715808272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-80240-5 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with nosuid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80240-5">CCE-80240-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86669r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any NFS mounts.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idm46336715766960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80222-3 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Strict Mode Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80222-3">CCE-80222-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86887r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSHs StrictModes option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>StrictModes yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-detail-idm46336715762144"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-80372-6 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for User Known Hosts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80372-6">CCE-80372-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040380</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86873r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. <br><br> To ensure this behavior is disabled, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>IgnoreUserKnownHosts yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idm46336715744304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-27471-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27471-2">CCE-27471-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <br> <pre>PermitEmptyPasswords no</pre> <br> Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idm46336715734672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Client Alive Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-27082-7 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Count</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27082-7">CCE-27082-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the SSH idle timeout occurs precisely when the <code>ClientAliveInterval</code> is set, edit <code>/etc/ssh/sshd_config</code> as follows: <pre>ClientAliveCountMax 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This ensures a user login will be terminated as soon as the <code>ClientAliveInterval</code> is reached.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" id="rule-detail-idm46336715724848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for Rhosts RSA Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa mediumCCE-80373-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for Rhosts RSA Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80373-4">CCE-80373-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86863r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. <br><br> To ensure this behavior is disabled, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>RhostsRSAAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> As of <code>openssh-server</code> version <code>7.4</code> and above, the <code>RhostsRSAAuthentication</code> option has been deprecated, and the line <pre>RhostsRSAAuthentication no</pre> in <code>/etc/ssh/sshd_config</code> is not necessary.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idm46336715755776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-27314-4 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27314-4">CCE-27314-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040170</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86849r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001388</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Banner /etc/issue</pre> Another section contains information on how to create an appropriate system-wide warning banner.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" id="rule-detail-idm46336715707360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Use Only FIPS 140-2 Validated MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs mediumCCE-27455-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only FIPS 140-2 Validated MACs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_macs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27455-5">CCE-27455-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040400</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86877r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001453</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-approved MACs: <br><br> <pre>MACs hmac-sha2-512,hmac-sha2-256</pre> <br><br> Only the following message authentication codes are FIPS 140-2 certified on RHEL 7: <br>- hmac-sha1 <br>- hmac-sha2-256 <br>- hmac-sha2-512 <br>- hmac-sha1-etm@openssh.com <br>- hmac-sha2-256-etm@openssh.com <br>- hmac-sha2-512-etm@openssh.com <br><br> Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-detail-idm46336715702240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-27363-1 </div><div class="panel-heading"><h3 class="panel-title">Do Not Allow SSH Environment Options</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27363-1">CCE-27363-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86581r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>PermitUserEnvironment no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH environment options potentially allow users to bypass access restriction in some configurations.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idm46336715718368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80221-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80221-5">CCE-80221-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86885r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>KerberosAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-detail-idm46336715692480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-27320-1 </div><div class="panel-heading"><h3 class="panel-title">Allow Only SSH Protocol 2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27320-1">CCE-27320-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040390</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86875r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000197</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000074-GPOS-00042</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Only SSH protocol version 2 connections should be permitted. The default setting in <code>/etc/ssh/sshd_config</code> is correct, and can be verified by ensuring that the following line appears: <pre>Protocol 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> As of <code>openssh-server</code> version <code>7.4</code> and above, the only protocol supported is version 2, and line <pre>Protocol 2</pre> in <code>/etc/ssh/sshd_config</code> is not necessary.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-detail-idm46336715684656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-27377-1 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for .rhosts Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27377-1">CCE-27377-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86867r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.6</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via <code>.rhosts</code> files. <br><br> To ensure this behavior is disabled, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>IgnoreRhosts yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idm46336715679904"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout unknownCCE-27433-2 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27433-2">CCE-27433-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. <br><br> To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as follows: <pre>ClientAliveInterval <b><abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">600</abbr></b></pre> The timeout <b>interval</b> is given in seconds. To have a timeout of 15 minutes, set <b>interval</b> to 900. <br><br> If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" id="rule-detail-idm46336715659504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Encrypted X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding highCCE-80226-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Encrypted X11 Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80226-4">CCE-80226-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86927r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-2(1)(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's <code>X11Forwarding</code> option is enabled. <br><br> To enable X11 Forwarding, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>X11Forwarding yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Open X displays allow an attacker to capture keystrokes and to execute commands remotely.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" id="rule-detail-idm46336715672736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Use Only FIPS 140-2 Validated Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers mediumCCE-27295-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only FIPS 140-2 Validated Ciphers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27295-5">CCE-27295-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86845r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000803</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000033-GPOS-00014</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000120-GPOS-00061</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000125-GPOS-00065</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000250-GPOS-00093</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000393-GPOS-00173</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS 140-2 validated ciphers: <pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre> <br><br> The following ciphers are FIPS 140-2 certified on RHEL 7: <br>- aes128-ctr <br>- aes192-ctr <br>- aes256-ctr <br>- aes128-cbc <br>- aes192-cbc <br>- aes256-cbc <br>- 3des-cbc <br>- rijndael-cbc@lysator.liu.se <br><br> Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. <br> Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. <br> FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idm46336715644928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-27413-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27413-4">CCE-27413-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86583r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.7</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. <br><br> To disable host-based authentication, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>HostbasedAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" id="rule-detail-idm46336715651120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Privilege Separationxccdf_org.ssgproject.content_rule_sshd_use_priv_separation mediumCCE-80223-1 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Privilege Separation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_priv_separation</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80223-1">CCE-80223-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86889r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>UsePrivilegeSeparation sandbox</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-detail-idm46336715623520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-80225-6 </div><div class="panel-heading"><h3 class="panel-title">Print Last Log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_print_last_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80225-6">CCE-80225-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040360</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86869r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>PrintLastLog yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idm46336715633328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80220-7 </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80220-7">CCE-80220-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86883r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>GSSAPIAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_compression" id="rule-detail-idm46336715610304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-80224-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Compression Or Set Compression to delayed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_compression</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80224-9">CCE-80224-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86891r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>Compression no</pre> or <pre>Compression delayed</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm46336715607360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-27445-6 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27445-6">CCE-27445-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040370</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86871r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>PermitRootLogin no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-detail-idm46336715591888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-80215-7 </div><div class="panel-heading"><h3 class="panel-title">Install the OpenSSH Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_openssh-server_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80215-7">CCE-80215-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86857r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002422</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00187</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>openssh-server</code> package should be installed. The <code>openssh-server</code> package can be installed with the following command: <pre>$ sudo yum install openssh-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_sshd_enabled" id="rule-detail-idm46336715581728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-80216-5 </div><div class="panel-heading"><h3 class="panel-title">Enable the OpenSSH Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_sshd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80216-5">CCE-80216-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86859r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002422</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00187</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SSH server service, sshd, is commonly needed. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sshd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. <br><br> This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734713312">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734713312"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'sshd.service' "$SYSTEMCTL_EXEC" enable 'sshd.service' </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734716464">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734716464"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service sshd service: name: "{{item}}" enabled: "yes" state: "started" with_items: - sshd tags: - service_sshd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-80216-5 - NIST-800-53-SC-8 - NIST-800-171-3.1.13 - NIST-800-171-3.5.4 - NIST-800-171-3.13.8 - DISA-STIG-RHEL-07-040310 </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" id="rule-detail-idm46336715575168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-27311-0 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Public *.pub Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27311-0">CCE-27311-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040410</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86879r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> To properly set the permissions of <code>/etc/ssh/*.pub</code>, run the command: <pre>$ sudo chmod 0644 /etc/ssh/*.pub</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">chmod: cannot access '/etc/ssh/*.pub': No such file or directory </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734697296">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734697296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> chmod 0644 /etc/ssh/*.pub </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734685104">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734685104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure permission 0644 on /etc/ssh/*.pub file: path: "{{ item }}" mode: 0644 with_items: - /etc/ssh/*.pub tags: - file_permissions_sshd_pub_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27311-0 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040410 </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Puppet snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734699776">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734699776"><pre><code>include ssh_public_key_perms class ssh_public_key_perms { exec { 'sshd_pub_key': command => "chmod 0644 /etc/ssh/*.pub", path => '/bin:/usr/bin' } } </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm46336715567280"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-27485-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27485-2">CCE-27485-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040420</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86881r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> To properly set the permissions of <code>/etc/ssh/*_key</code>, run the command: <pre>$ sudo chmod 0640 /etc/ssh/*_key</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">chmod: cannot access '/etc/ssh/*_key': No such file or directory </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734675552">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734675552"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> chmod 0600 /etc/ssh/*_key </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734674064">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734674064"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure permission 0600 on /etc/ssh/*_key file: path: "{{ item }}" mode: 0600 with_items: - /etc/ssh/*_key tags: - file_permissions_sshd_private_key - medium_severity - configure_strategy - low_complexity - low_disruption - CCE-27485-2 - NIST-800-53-AC-6 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - DISA-STIG-RHEL-07-040420 </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Puppet snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734668400">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734668400"><pre><code>include ssh_private_key_perms class ssh_private_key_perms { exec { 'sshd_priv_key': command => "chmod 0640 /etc/ssh/*_key", path => '/bin:/usr/bin' } } </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm46336715556560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost unknownCCE-27343-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:13</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27343-3">CCE-27343-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-031000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86833r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001348</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000136</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting <code><i>loghost.example.com</i></code> appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments. <br> To use UDP for log message delivery: <pre>*.* @<i>loghost.example.com</i></pre> <br> To use TCP for log message delivery: <pre>*.* @@<i>loghost.example.com</i></pre> <br> To use RELP for log message delivery: <pre>*.* :omrelp:<i>loghost.example.com</i></pre> <br> There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-detail-idm46336715553072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-80380-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure cron Is Logging To Rsyslog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_cron_logging</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80380-9">CCE-80380-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86675r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Cron logging must be implemented to spot intrusions or trace cron job status. If <code>cron</code> is not logging to <code>rsyslog</code>, it can be implemented by adding the following to the <i>RULES</i> section of <code>/etc/rsyslog.conf</code>: <pre>cron.* /var/log/cron</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-detail-idm46336715526848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten unknownCCE-80192-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_nolisten</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80192-8">CCE-80192-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-031010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86835r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are <i>not</i> found in <code>/etc/rsyslog.conf</code>: <pre>$ModLoad imtcp $InputTCPServerRun <i>port</i> $ModLoad imudp $UDPServerRun <i>port</i> $ModLoad imrelp $InputRELPServerRun <i>port</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" id="rule-detail-idm46336715510240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-27349-0 </div><div class="panel-heading"><h3 class="panel-title">Set Default firewalld Zone for Incoming Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_firewalld_default_zone</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27349-0">CCE-27349-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040810</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86939r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the default zone to <code>drop</code> for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in <code>/etc/firewalld/firewalld.conf</code> to be: <pre>DefaultZone=drop</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In <code>firewalld</code> the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to <code>drop</code> implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-detail-idm46336715506272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-80447-6 </div><div class="panel-heading"><h3 class="panel-title">Configure the Firewalld Ports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_ports</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80447-6">CCE-80447-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86843r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002314</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7.1(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096-GPOS-00050</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000297-GPOS-00115</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>firewalld</code> ports to allow approved services to have access to the system. To configure <code>firewalld</code> to open ports, run the following command: <pre>$ sudo firewall-cmd --permanent --add-port=<i>port_number</i>/tcp</pre> or <pre>$ sudo firewall-cmd --permanent --add-port=<i>service_name</i></pre> Run the command list above for each of the ports listed below: To configure <code>firewalld</code> to allow access, run the following command(s): <code>firewall-cmd --permanent --add-service=ssh</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. <br><br> Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. <br><br> To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" id="rule-detail-idm46336715482528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure firewalld To Rate Limit Connectionsxccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting mediumCCE-80542-4 </div><div class="panel-heading"><h3 class="panel-title">Configure firewalld To Rate Limit Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80542-4">CCE-80542-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002385</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000420-GPOS-00186</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040510</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86895r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Create a direct firewall rule to protect against DoS attacks with the following command: <pre>$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. <br><br> This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idm46336715500448"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-27361-5 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27361-5">CCE-27361-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040520</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86897r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>firewalld</code> service can be enabled with the following command: <pre>$ sudo systemctl enable firewalld.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>   <a data-toggle="collapse" data-target="#idm46336734271600">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734271600"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'firewalld.service' "$SYSTEMCTL_EXEC" enable 'firewalld.service' </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>   <a data-toggle="collapse" data-target="#idm46336734237536">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336734237536"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld service: name: "{{item}}" enabled: "yes" state: "started" with_items: - firewalld tags: - service_firewalld_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - CCE-27361-5 - NIST-800-53-CM-6(b) - NIST-800-171-3.1.3 - NIST-800-171-3.4.7 - DISA-STIG-RHEL-07-040520 </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-detail-idm46336715478304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-80171-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Any Configured IPSec Tunnel Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80171-2">CCE-80171-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040820</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86941r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000336</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (<code>conn</code>) configured in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.d</code> exists is an approved organizational connection.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>IP tunneling mechanisms can be used to bypass network filtering.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idm46336715461456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-80179-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80179-5">CCE-80179-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040830</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86943r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv6.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idm46336715419728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80162-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80162-1">CCE-80162-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86909r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. <br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-detail-idm46336715414784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80165-4 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80165-4">CCE-80165-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86911r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. <br> Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idm46336715394880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting ICMP Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80163-9 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80163-9">CCE-80163-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86913r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br> This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idm46336715405424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-27434-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27434-0">CCE-27434-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86907r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idm46336715381136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80158-9 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80158-9">CCE-80158-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040641</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87827r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001503</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001551</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br> This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idm46336715354048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for IP Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-80157-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80157-1">CCE-80157-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040740</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86933r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.ip_forward = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idm46336715335328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80156-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80156-3">CCE-80156-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86917r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.all.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idm46336715342624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80156-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80156-3">CCE-80156-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86915r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>net.ipv4.conf.default.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-detail-idm46336715329360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-26828-4 </div><div class="panel-heading"><h3 class="panel-title">Disable DCCP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26828-4">CCE-26828-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.5.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020101</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92517r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the <code>dccp</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install dccp /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling DCCP protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/dccp.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-detail-idm46336715300032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-27358-1 </div><div class="panel-heading"><h3 class="panel-title">Deactivate Wireless Network Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27358-1">CCE-27358-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000085</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000424-GPOS-00188</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87829r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Deactivating wireless network interfaces should prevent normal usage of the wireless capability. <br><br> Configure the system to disable all wireless network interfaces with the following command: <pre>$ sudo nmcli radio wifi off</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-detail-idm46336715296064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-80174-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure System is Not Acting as a Network Sniffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_sniffer_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80174-6">CCE-80174-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86919r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2).1(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: <pre>$ ip link | grep PROMISC</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. <br><br> If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_network_configure_name_resolution" id="rule-detail-idm46336715287104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Multiple DNS Servers in /etc/resolv.confxccdf_org.ssgproject.content_rule_network_configure_name_resolution unknownCCE-80438-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Multiple DNS Servers in /etc/resolv.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_configure_name_resolution</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80438-5">CCE-80438-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86905r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-22</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Multiple Domain Name System (DNS) Servers should be configured in <code>/etc/resolv.conf</code>. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least <code>2</code> DNS servers, add a corresponding <code>nameserver <i>ip_address</i></code> entry in <code>/etc/resolv.conf</code> for each DNS server where <i>ip_address</i> is the IP address of a valid DNS server. For example: <pre>search example.com nameserver 192.168.0.1 nameserver 192.168.0.2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_password" id="rule-detail-idm46336715283136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-27309-4 </div><div class="panel-heading"><h3 class="panel-title">Set Boot Loader Password in grub2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27309-4">CCE-27309-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010480</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86585r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> To do so, select a superuser account name and password and and modify the <code>/etc/grub.d/01_users</code> configuration file with the new account name. <br><br> Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: <pre>$ grub2-setpassword</pre> When prompted, enter the password that was selected. <br><br> NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. <br><br> Change the superuser to a different username (The default is 'root'). <pre>$ sed -i s/root/bootuser/g /etc/grub.d/01_users</pre> <br><br> To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the <code>grub.cfg</code> file by running: <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre> NOTE: Do NOT manually add the superuser account and password to the <code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to <ul><li><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html</a></li>. </ul></p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-detail-idm46336715274224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password mediumCCE-80354-4 </div><div class="panel-heading"><h3 class="panel-title">Set the UEFI Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_uefi_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80354-4">CCE-80354-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010490</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86587r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> To do so, select a superuser account name and password and and modify the <code>/etc/grub.d/01_users</code> configuration file with the new account name. <br><br> Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: <pre>$ grub2-setpassword</pre> When prompted, enter the password that was selected. <br><br> NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. <br><br> Change the superuser to a different username (The default is 'root'). <pre>$ sed -i s/root/bootuser/g /etc/grub.d/01_users</pre> <br><br> To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the <code>grub.cfg</code> file by running: <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre> NOTE: Do NOT manually add the superuser account and password to the <code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to <ul><li><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html</a></li>. </ul></p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" id="rule-detail-idm46336715270288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Boat Loader Is Not Installed On Removeable Mediaxccdf_org.ssgproject.content_rule_grub2_no_removeable_media mediumCCE-80517-6 </div><div class="panel-heading"><h3 class="panel-title">Boat Loader Is Not Installed On Removeable Media</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_no_removeable_media</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80517-6">CCE-80517-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000364-GPOS-00151</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86699r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. <code>usb0</code>, <code>cd</code>, <code>fd0</code>, etc. are some examples of removeable media which should not exist in the line: <pre>set root='hd0,msdos1'</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm46336714674640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype highCCE-27279-9 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27279-9">CCE-27279-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020220</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86615r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000445-GPOS-00199</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in <code>/etc/selinux/config</code>: <pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre> Other policies, such as <code>mls</code>, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux policy to <code>targeted</code> or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. <br><br> Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in <code>permissive</code> mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" id="rule-detail-idm46336714664784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled mediumCCE-27326-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure No Device Files are Unlabeled by SELinux</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27326-8">CCE-27326-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020900</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86663r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000022</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000032</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type <code>device_t</code>, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it. <br><br> To check for unlabeled device files, run the following command: <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre> It should produce no output in a well-configured system.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a device file carries the SELinux type <code>device_t</code>, then SELinux cannot properly restrict access to the device file.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_user_login_roles" id="rule-detail-idm46336714660816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Map System Users To The Appropriate SELinux Rolexccdf_org.ssgproject.content_rule_selinux_user_login_roles mediumCCE-80543-2 </div><div class="panel-heading"><h3 class="panel-title">Map System Users To The Appropriate SELinux Role</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_user_login_roles</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80543-2">CCE-80543-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002235</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000324-GPOS-00125</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86595r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the <code>sysadm_u</code> or <code>staff_u</code> users with the appropriate domains (<code>sysadm_t</code> and <code>staff_t</code>). <pre>$ sudo semanage login -m -s sysadm_u <i>USER</i></pre> or <pre>$ sudo semanage login -m -s staff_u <i>USER</i></pre> <br><br> All authorized non-administrative users must be mapped to the <code>user_u</code> role or the appropriate domain (user_t). <pre>$ sudo semanage login -m -s user_u <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. <br><br> Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm46336714658000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-27334-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27334-2">CCE-27334-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020210</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86613r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-6(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000445-GPOS-00199</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at system boot time. In the file <code>/etc/selinux/config</code>, add or correct the following line to configure the system to boot into enforcing mode: <pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-detail-idm46336714645440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-27124-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27124-7">CCE-27124-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010210</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86545r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: <pre>ENCRYPT_METHOD SHA512</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. <br><br> Using a stronger hashing algorithm makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-detail-idm46336714641440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-27053-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/libuser.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27053-8">CCE-27053-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010220</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86547r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-512 algorithm for password hashing: <pre>crypt_style = sha512</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. <br><br> This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-detail-idm46336714637488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-27104-9 </div><div class="panel-heading"><h3 class="panel-title">Set PAM's Password Hashing Algorithm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27104-9">CCE-27104-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86543r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000196</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000073-GPOS-00041</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of the file controls which PAM modules execute during a password change. Set the <code>pam_unix.so</code> module in the <code>password</code> section to include the argument <code>sha512</code>, as shown below: <br> <pre>password sufficient pam_unix.so sha512 <i>other arguments...</i></pre> <br> This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text. <br><br> This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm46336714633536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-80353-6 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80353-6">CCE-80353-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86569r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Modify the following line in the <code>AUTH</code> section to add <code>even_deny_root</code>: <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm46336714628224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-26884-7 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26884-7">CCE-26884-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idm46336714620080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-26923-3 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26923-3">CCE-26923-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010270</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86557r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000200</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000077-GPOS-00045</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <code>pam_pwhistory</code> PAM modules. <br><br> In the file <code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></code> to the line which refers to the <code>pam_unix.so</code> or <code>pam_pwhistory.so</code>module, as shown below: <ul><li>for the <code>pam_unix.so</code> case: <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> </li><li>for the <code>pam_pwhistory.so</code> case: <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> </li></ul> The DoD STIG requirement is 5 passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm46336714609248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-27297-1 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27297-1">CCE-27297-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an accounts after a number of incorrect login attempts within a specified time period. Modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm46336714603408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-27350-8 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27350-8">CCE-27350-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86567r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002238</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000329-GPOS-00128</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">never</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm46336714589136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-27293-0 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27293-0">CCE-27293-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010280</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86559r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000205</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000078-GPOS-00046</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">15</abbr></code> after pam_pwquality to set minimum password length requirements.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. <br> Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-detail-idm46336714594064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password to Maximum of Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-27512-3 </div><div class="panel-heading"><h3 class="panel-title">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27512-3">CCE-27512-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010190</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86541r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the <code>maxclassrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-detail-idm46336714577552"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-27333-4 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Consecutive Repeating Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27333-4">CCE-27333-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010180</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86539r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the <code>maxrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. <br><br> Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idm46336714564160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-27214-6 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27214-6">CCE-27214-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010140</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86531r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000194</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">194</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000071-GPOS-00039</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the <code>dcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" id="rule-detail-idm46336714544256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-27115-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Categories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27115-5">CCE-27115-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010170</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86537r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: <pre> * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation) </pre> Modify the <code>minclass</code> setting in <code>/etc/security/pwquality.conf</code> entry to require <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minclass">4</abbr> differing categories of characters when changing passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. <br><br> Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-detail-idm46336714548704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-26631-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_difok</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26631-2">CCE-26631-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010160</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86535r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000195</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password during a password change. <br><br> Modify the <code>difok</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_difok">8</abbr> to require differing characters when changing passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bruteâforce attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. <br><br> Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idm46336714522304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-27360-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27360-7">CCE-27360-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010150</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86533r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001619</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000266-GPOS-00101</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the <code>ocredit</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idm46336714527728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-27345-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27345-8">CCE-27345-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010130</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86529r4_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000193</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000070-GPOS-00038</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the <code>lcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idm46336714500096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Strength Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-27200-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27200-5">CCE-27200-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010120</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86527r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000192</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000069-GPOS-00037</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the <code>ucredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" id="rule-detail-idm46336714505536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry unknownCCE-27160-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Retry Prompts Permitted Per-Session</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_retry</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27160-1">CCE-27160-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010119</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87811r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00225</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the number of retry prompts that are permitted per-session: <br><br> Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to show <code>retry=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_retry">3</abbr></code>, or a lower value if site policy is more restrictive. <br><br> The DoD requirement is a maximum of 3 prompts per session.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-detail-idm46336714469264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-27275-7 </div><div class="panel-heading"><h3 class="panel-title">Set Last Logon/Access Notification</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_display_login_attempts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27275-7">CCE-27275-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040530</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86899r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings in <code>/etc/pam.d/postlogin</code> to read as follows: <pre>session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-detail-idm46336714460304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-27002-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27002-5">CCE-27002-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010230</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86549r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000198</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000075-GPOS-00043</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></pre> A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. <br><br> Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm46336714454816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-27051-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27051-2">CCE-27051-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010250</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86553r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.4.1.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000199</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000076-GPOS-00044</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></pre> A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. <br><br> Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-detail-idm46336714444816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-80521-8 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80521-8">CCE-80521-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000198</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000075-GPOS-00043</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010240</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86551r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-detail-idm46336714448256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-80522-6 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80522-6">CCE-80522-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000199</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000076-GPOS-00044</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010260</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86555r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: <pre>$ sudo chage -M 60 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-detail-idm46336714422608"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-27175-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Only Root Has UID 0</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27175-9">CCE-27175-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86629r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. <br> If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-detail-idm46336714414288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-27355-7 </div><div class="panel-heading"><h3 class="panel-title">Set Account Expiration Following Inactivity</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27355-7">CCE-27355-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86565r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000795</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.4</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000118-GPOS-00060</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in <code>/etc/default/useradd</code>, substituting <code><i>NUM_DAYS</i></code> appropriately: <pre>INACTIVE=<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">0</abbr></i></pre> A value of 35 is recommended; however, this profile expects that the value is set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">0</abbr></code>. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the <code>useradd</code> man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idm46336714393888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Log In to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-27286-4 </div><div class="panel-heading"><h3 class="panel-title">Prevent Log In to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:14</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27286-4">CCE-27286-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010290</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86561r2_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>nullok</code> option in <code>/etc/pam.d/system-auth</code> to prevent logins with empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-detail-idm46336714390368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-27503-2 </div><div class="panel-heading"><h3 class="panel-title">All GIDs referenced in /etc/passwd must be defined in /etc/group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gid_passwd_group_same</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27503-2">CCE-27503-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86627r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000764</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.5.a</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add a group to the system for each GID referenced without a corresponding group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_screen_installed" id="rule-detail-idm46336714386496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install the screen Packagexccdf_org.ssgproject.content_rule_package_screen_installed mediumCCE-27351-6 </div><div class="panel-heading"><h3 class="panel-title">Install the screen Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_screen_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27351-6">CCE-27351-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010090</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86521r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable console screen locking, install the <code>screen</code> package: <pre>$ sudo yum install screen</pre> Instruct users to begin new terminal sessions with the following command: <pre>$ screen</pre> The console can now be locked with the following key combination: <pre>ctrl+a x</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but des not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. <br><br> The <code>screen</code> package allows for a session lock to be implemented and configured.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="rule-detail-idm46336714382656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Smart Card Loginxccdf_org.ssgproject.content_rule_smartcard_auth mediumCCE-80207-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Smart Card Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80207-4">CCE-80207-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86589r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000884</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(2)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000104-GPOS-00051</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000106-GPOS-00053</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000107-GPOS-00054</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000109-GPOS-00056</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00055</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00057</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000108-GPOS-00058</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable smart card authentication, consult the documentation at: <ul><li><b><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards</a></b></li></ul> For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: <ul><li><b><a href="https://access.redhat.com/solutions/82273">https://access.redhat.com/solutions/82273</a></b></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum Running in chroot, ignoring request. Running in chroot, ignoring request. </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723809296">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723809296"><pre><code> # Install required packages <abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_install aide # function package_install { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_install 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if ! rpm -q --quiet "$package"; then dnf install -y "$package" fi elif which yum ; then if ! rpm -q --quiet "$package"; then yum install -y "$package" fi elif which apt-get ; then apt-get install -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } </abbr> package_install esc package_install pam_pkcs11 # Enable pcscd.socket systemd activation socket <abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_service_command"># Function to enable/disable and start/stop services on RHEL and Fedora systems. # # Example Call(s): # # service_command enable bluetooth # service_command disable bluetooth.service # # Using xinetd: # service_command disable rsh.socket xinetd=rsh # function service_command { # Load function arguments into local variables local service_state=$1 local service=$2 local xinetd=$(echo $3 | cut -d'=' -f2) # Check sanity of the input if [ $# -lt "2" ] then echo "Usage: service_command 'enable/disable' 'service_name.service'" echo echo "To enable or disable xinetd services add \'xinetd=service_name\'" echo "as the last argument" echo "Aborting." exit 1 fi # If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands if [ -f "/usr/bin/systemctl" ] ; then service_util="/usr/bin/systemctl" else service_util="/sbin/service" chkconfig_util="/sbin/chkconfig" fi # If disable is not specified in arg1, set variables to enable services. # Otherwise, variables are to be set to disable services. if [ "$service_state" != 'disable' ] ; then service_state="enable" service_operation="start" chkconfig_state="on" else service_state="disable" service_operation="stop" chkconfig_state="off" fi # If chkconfig_util is not empty, use chkconfig/service commands. if [ "x$chkconfig_util" != x ] ; then $service_util $service $service_operation $chkconfig_util --level 0123456 $service $chkconfig_state else $service_util $service_operation $service $service_util $service_state $service # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. $service_util reset-failed $service fi # Test if local variable xinetd is empty using non-bashism. # If empty, then xinetd is not being used. if [ "x$xinetd" != x ] ; then grep -qi disable /etc/xinetd.d/$xinetd && \ if [ "$service_operation" = 'disable' ] ; then sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd else sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd fi fi } </abbr> service_command enable pcscd.socket # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly # # The code below will configure system authentication in the way smart card # logins will be enabled, but also user login(s) via other method to be allowed # # NOTE: It is not possible to use the 'authconfig' command to perform the # remediation for us, because call of 'authconfig' would discard changes # for other remediations (see RH BZ#1357019 for details) # # Therefore we need to configure the necessary settings directly. # # Define system-auth config location SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF PAM_ENV_SO="auth.*required.*pam_env.so" # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF SYSTEM_AUTH_PAM_SUCCEED="\ auth [success=1 default=ignore] pam_succeed_if.so service notin \ login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" # Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED # row into SYSTEM_AUTH_CONF file SYSTEM_AUTH_PAM_PKCS11="\ auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \ pam_pkcs11.so nodebug" # Define smartcard-auth config location SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF SMARTCARD_AUTH_SECTION="\ auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only" # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF PAM_PERMIT_SO="account.*required.*pam_permit.so" # Define 'pam_pkcs11.so' password section SMARTCARD_PASSWORD_SECTION="\ password required pam_pkcs11.so" # First Correct the SYSTEM_AUTH_CONF configuration if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" then # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added # in SYSTEM_AUTH_CONF file # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" fi # Then also correct the SMARTCARD_AUTH_CONF if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" then # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" fi # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF" </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Anaconda snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723803152">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723803152"><pre><code> package --add=pam_pkcs11 --add=esc </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_install_smartcard_packages" id="rule-detail-idm46336714357664"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install Smart Card Packages For Multifactor Authenticationxccdf_org.ssgproject.content_rule_install_smartcard_packages mediumCCE-80519-2 </div><div class="panel-heading"><h3 class="panel-title">Install Smart Card Packages For Multifactor Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_smartcard_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80519-2">CCE-80519-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041001</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87041r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to implement multifactor authentication by installing the required packages with the following command: <pre>$ sudo yum install esc pam_pkcs11 authconfig-gtk</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. <br><br> Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. There are no enabled repos. Run "yum repolist all" to see the repos you have. To enable Red Hat Subscription Management repositories: subscription-manager repos --enable <repo> To enable custom repositories: yum-config-manager --enable <repo> </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336723806528">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336723806528"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_install aide # function package_install { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_install 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if ! rpm -q --quiet "$package"; then dnf install -y "$package" fi elif which yum ; then if ! rpm -q --quiet "$package"; then yum install -y "$package" fi elif which apt-get ; then apt-get install -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } </abbr> package_install esc package_install pam_pkcs11 <abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_install aide # function package_install { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_install 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if ! rpm -q --quiet "$package"; then dnf install -y "$package" fi elif which yum ; then if ! rpm -q --quiet "$package"; then yum install -y "$package" fi elif which apt-get ; then apt-get install -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } </abbr> package_install authconfig-gtk </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-detail-idm46336714372416"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Smart Card Certificate Status Checkingxccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking mediumCCE-80520-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Smart Card Certificate Status Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80520-0">CCE-80520-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-041003</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87057r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include <code>ocsp_on</code> like so: <pre>cert_policy = ca, ocsp_on, signature;</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. <br><br> Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idm46336714369824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-27287-2 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27287-2">CCE-27287-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010481</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92519r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000080-GPOS-00048</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010481</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92519r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. <br><br> By default, single-user mode is protected by requiring a password and is set in <code>/usr/lib/systemd/system/rescue.service</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-detail-idm46336714347328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-27511-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Reboot Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27511-5">CCE-27511-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020230</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86617r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> key sequence from the command line instead of rebooting the system, do either of the following: <pre>ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre> or <pre>systemctl mask ctrl-alt-del.target</pre> <br><br> Do not simply delete the <code>/usr/lib/systemd/system/ctrl-alt-del.service</code> file, as this file may be restored during future system updates.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Disabling the <code>Ctrl-Alt-Del</code> key sequence in <code>/etc/init/control-alt-delete.conf</code> DOES NOT disable the <code>Ctrl-Alt-Del</code> key sequence if running in <code>runlevel 6</code> (e.g. in GNOME, KDE, etc.)! The <code>Ctrl-Alt-Del</code> key sequence will only be disabled if running in the non-graphical <code>runlevel 3</code>.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Created symlink /etc/systemd/system/ctrl-alt-del.target, pointing to /dev/null. </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-detail-idm46336714336880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-26970-4 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Login Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26970-4">CCE-26970-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86483r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="">OS-SRG-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting <code>banner-message-enable</code> to <code>true</code>. <br><br> To enable, add or edit <code>banner-message-enable</code> to <code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: <pre>[org/gnome/login-screen] banner-message-enable=true</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/login-screen/banner-message-enable</pre> After the settings have been set, run <code>dconf update</code>. The banner text must also be set.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. <br><br> For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-detail-idm46336714333056"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-26892-0 </div><div class="panel-heading"><h3 class="panel-title">Set the GNOME3 Login Warning Banner Text</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26892-0">CCE-26892-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86485r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting <code>banner-message-text</code> to <code>string '<i>APPROVED_BANNER</i>'</code> where <i>APPROVED_BANNER</i> is the approved banner for your environment. <br><br> To enable, add or edit <code>banner-message-text</code> to <code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: <pre>[org/gnome/login-screen] banner-message-text='<i>APPROVED_BANNER</i>'</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/login-screen/banner-message-text</pre> After the settings have been set, run <code>dconf update</code>. When entering a warning banner that spans several lines, remember to begin and end the string with <code>'</code> and use <code>\n</code> for new lines.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-detail-idm46336714323808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-27303-7 </div><div class="panel-heading"><h3 class="panel-title">Modify the System Login Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_banner_etc_issue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27303-7">CCE-27303-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010050</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86487r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023-GPOS-00006</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000024-GPOS-00007</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: <br><br> <code>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: <br>-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. <br>-At any time, the USG may inspect and seize data stored on this IS. <br>-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. <br>-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. <br>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</code> <br><br> OR: <br><br> <code>I've read & consent to terms in IS user agreem't.</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. <br><br> System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" id="rule-detail-idm46336714306576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly For Interactive Usersxccdf_org.ssgproject.content_rule_accounts_umask_interactive_users mediumCCE-80536-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly For Interactive Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80536-6">CCE-80536-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001814</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86673r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Remove the <code>UMASK</code> environment variable from all interactive users initialization files.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-detail-idm46336714304160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs unknownCCE-80205-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80205-8">CCE-80205-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020240</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86619r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows: <pre>UMASK <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">077</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" id="rule-detail-idm46336714293408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-80523-4 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Not Run World-Writable Programs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80523-4">CCE-80523-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86661r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode on files being executed by the user initialization files with the following command: <pre>$ sudo chmod 0755 <i>FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-detail-idm46336714290528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-27557-8 </div><div class="panel-heading"><h3 class="panel-title">Set Interactive Session Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_tmout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27557-8">CCE-27557-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040160</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86847r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000361</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The <code>TMOUT</code> setting in <code>/etc/profile</code> should read as follows: <pre>TMOUT=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_tmout">600</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" id="rule-detail-idm46336714284992"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Be Owned By the Primary Userxccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership mediumCCE-80527-5 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Be Owned By the Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80527-5">CCE-80527-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86653r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i>/.*</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_permission_user_init_files" id="rule-detail-idm46336714282400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All User Initialization Files Have Mode 0740 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permission_user_init_files mediumCCE-80525-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permission_user_init_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80525-9">CCE-80525-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86657r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" id="rule-detail-idm46336714278848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->User Initialization Files Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership mediumCCE-80526-7 </div><div class="panel-heading"><h3 class="panel-title">User Initialization Files Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80526-7">CCE-80526-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86655r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local interactive user home directory, use the following command: <pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/.<i>INIT_FILE</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" id="rule-detail-idm46336714275504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-80529-1 </div><div class="panel-heading"><h3 class="panel-title">All Interactive Users Home Directories Must Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80529-1">CCE-80529-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86639r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in <code>/etc/passwd</code>: <pre>$ sudo mkdir /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" id="rule-detail-idm46336714270240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership mediumCCE-80534-1 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80534-1">CCE-80534-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86649r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: <pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i>/<i>FILE_DIR</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" id="rule-detail-idm46336714267280"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Logon Failure Delay is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_logon_fail_delay unknownCCE-80352-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Logon Failure Delay is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80352-8">CCE-80352-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86575r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00226</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in <code>/etc/login.defs</code> to read as follows: <pre>FAIL_DELAY <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_fail_delay">4</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" id="rule-detail-idm46336714248960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Home Directories are Created for New Usersxccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs mediumCCE-80434-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Home Directories are Created for New Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80434-4">CCE-80434-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86637r1_rule</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home directories to all new local interactive users by setting the <code>CREATE_HOME</code> parameter in <code>/etc/login.defs</code> to <code>yes</code> as follows: <br><br> <pre>CREATE_HOME yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-detail-idm46336714260560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-27081-9 </div><div class="panel-heading"><h3 class="panel-title">Limit the Number of Concurrent Login Sessions Allowed Per User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27081-9">CCE-27081-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86841r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000027-GPOS-00008</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in <code>/etc/security/limits.conf</code>: <pre>* hard maxlogins <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions">10</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" id="rule-detail-idm46336714243040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions mediumCCE-80535-8 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80535-8">CCE-80535-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86651r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i>/<i>FILE_DIR</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" id="rule-detail-idm46336714240304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure that Users Path Contains Only Local Directoriesxccdf_org.ssgproject.content_rule_accounts_user_home_paths_only mediumCCE-80524-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure that Users Path Contains Only Local Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80524-2">CCE-80524-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86659r3_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" id="rule-detail-idm46336714237040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-80532-5 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Be Group-Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupownership_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80532-5">CCE-80532-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86645r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive users home directory, use the following command: <pre>$ sudo chgrp <i>USER_GROUP</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" id="rule-detail-idm46336714233696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive Users Must Have A Home Directory Definedxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined mediumCCE-80528-3 </div><div class="panel-heading"><h3 class="panel-title">All Interactive Users Must Have A Home Directory Defined</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80528-3">CCE-80528-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86635r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Assign home directories to all interactive users that currently do not have a home directory assigned.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" id="rule-detail-idm46336714230240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All User Files and Directories In The Home Directory Must Be Owned By The Primary Userxccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership mediumCCE-80533-3 </div><div class="panel-heading"><h3 class="panel-title">All User Files and Directories In The Home Directory Must Be Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80533-3">CCE-80533-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86647r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: <pre>$ sudo chown -R <i>USER</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_home_directories" id="rule-detail-idm46336714227248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Be Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_ownership_home_directories mediumCCE-80531-7 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Be Owned By The Primary User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80531-7">CCE-80531-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86643r4_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: <pre>$ sudo chown <i>USER</i> /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_home_directories" id="rule-detail-idm46336714224000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-80530-9 </div><div class="panel-heading"><h3 class="panel-title">All Interactive User Home Directories Must Have mode 0750 Or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_home_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:29</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80530-9">CCE-80530-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86641r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the following command: <pre>$ sudo chmod 0750 /home/<i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" id="rule-detail-idm46336714175232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-80135-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:47</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80135-7">CCE-80135-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86633r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-detail-idm46336714171264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All World-Writable Directories Are Owned by a System Accountxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned unknownCCE-80136-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure All World-Writable Directories Are Owned by a System Account</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:25:50</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80136-5">CCE-80136-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86671r3_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" id="rule-detail-idm46336714167328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-80134-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_files_unowned_by_user</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80134-0">CCE-80134-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86631r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002165</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm46336714140560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-27127-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27127-0">CCE-27127-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040201</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92521r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre> If this is not the system default value, add the following line to <code>/etc/sysctl.conf</code>: <pre>kernel.randomize_va_space = 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-detail-idm46336714117104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid unknownCCE-81153-9 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81153-9">CCE-81153-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86665r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions should not be required in these user data directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/home</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-detail-idm46336714108880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions unknownCCE-80148-0 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to Removable Media Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80148-0">CCE-80148-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86667r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.19</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any removable media partitions.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" id="rule-detail-idm46336714083168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-27277-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Modprobe Loading of USB Storage Driver</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27277-3">CCE-27277-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86607r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.21</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-0016</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the <code>usb-storage</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install usb-storage /bin/true</pre> This will prevent the <code>modprobe</code> program from loading the <code>usb-storage</code> module, but will not prevent an administrator (or another program) from using the <code>insmod</code> program to load the module manually.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>USB storage devices such as thumb drives can be used to introduce malicious software.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/usb-storage.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-detail-idm46336714055344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-27498-5 </div><div class="panel-heading"><h3 class="panel-title">Disable the Automounter</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_autofs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27498-5">CCE-27498-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86609r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001958</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000114-GPOS-00059</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000378-GPOS-00163</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>autofs</code> daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as <code>/misc/cd</code>. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing <code>/etc/fstab</code> rather than relying on the automounter. <br><br> The <code>autofs</code> service can be disabled with the following command: <pre>$ sudo systemctl disable autofs.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling the automounter permits the administrator to statically control filesystem mounting through <code>/etc/fstab</code>. <br><br> Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" id="rule-detail-idm46336714043808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Encrypt Audit Records Sent With audispd Pluginxccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records mediumCCE-80540-8 </div><div class="panel-heading"><h3 class="panel-title">Encrypt Audit Records Sent With audispd Plugin</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80540-8">CCE-80540-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86709r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the <code>enable_krb5</code> option in <pre>/etc/audisp/audisp-remote.conf</pre>, and set it with the following line: <pre>enable_krb5 = yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" id="rule-detail-idm46336714040944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd Plugin To Send Logs To Remote Serverxccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server mediumCCE-80541-6 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd Plugin To Send Logs To Remote Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80541-6">CCE-80541-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030300</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86707r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the <code>remote_server</code> option in <pre>/etc/audisp/audisp-remote.conf</pre> with an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing <i>REMOTE_SYSTEM</i> with an IP address or hostname: <pre>remote_server = <i>REMOTE_SYSTEM</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" id="rule-detail-idm46336714037600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd's Plugin network_failure_action On Network Failurexccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action mediumCCE-80538-2 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd's Plugin network_failure_action On Network Failure</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80538-2">CCE-80538-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030321</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87815r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file <code>/etc/audisp/audisp-remote.conf</code>. Add or modify the following line, substituting <i>ACTION</i> appropriately: <pre>network_failure_action = <i>ACTION</i></pre> Set this value to <code>single</code> to cause the system to switch to single user mode for corrective action. Acceptable values also include <code>syslog</code> and <code>halt</code>. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" id="rule-detail-idm46336714029600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-80537-4 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd space_left on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80537-4">CCE-80537-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86713r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line, substituting <i>SIZE_in_MB</i> appropriately: <pre>space_left = <i>SIZE_in_MB</i></pre> Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-detail-idm46336714024208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-27394-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd mail_acct Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27394-6">CCE-27394-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86717r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7.a</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to send email to a designated account in certain situations. Add or correct the following line in <code>/etc/audit/auditd.conf</code> to ensure that administrators are notified via email for those situations: <pre>action_mail_acct = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct">root</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" id="rule-detail-idm46336714019136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-27375-5 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd space_left Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27375-5">CCE-27375-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001855</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000343-GPOS-00134</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line, substituting <i>ACTION</i> appropriately: <pre>space_left_action = <i>ACTION</i></pre> Possible values for <i>ACTION</i> are described in the <code>auditd.conf</code> man page. These include: <ul><li><code>syslog</code></li><li><code>email</code></li><li><code>exec</code></li><li><code>suspend</code></li><li><code>single</code></li><li><code>halt</code></li></ul> Set this to <code>email</code> (instead of the default, which is <code>suspend</code>) as it is more likely to get prompt attention. Acceptable values also include <code>suspend</code>, <code>single</code>, and <code>halt</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" id="rule-detail-idm46336714004880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audispd's Plugin disk_full_action When Disk Is Fullxccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action mediumCCE-80539-0 </div><div class="panel-heading"><h3 class="panel-title">Configure audispd's Plugin disk_full_action When Disk Is Full</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80539-0">CCE-80539-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000342-GPOS-00133</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86711r2_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file <code>/etc/audisp/audisp-remote.conf</code>. Add or modify the following line, substituting <i>ACTION</i> appropriately: <pre>disk_full_action = <i>ACTION</i></pre> Set this value to <code>single</code> to cause the system to switch to single user mode for corrective action. Acceptable values also include <code>syslog</code> and <code>halt</code>. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" id="rule-detail-idm46336713995024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Unloading - rmmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod mediumCCE-80416-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Unloading - rmmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80416-1">CCE-80416-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030850</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86817r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: <pre>-w /usr/sbin/rmmod -p x -k modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/audit/audit.rules: No such file or directory </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" id="rule-detail-idm46336713970336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80415-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Unloading - delete_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80415-3">CCE-80415-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030830</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86813r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,exit -F arch=<i>ARCH</i> -S delete_module -F key=modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" id="rule-detail-idm46336713986304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe mediumCCE-80417-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80417-9">CCE-80417-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030860</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86819r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: <pre>-w /usr/sbin/modprobe -p x -k modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="rule-detail-idm46336713961840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-80547-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80547-3">CCE-80547-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030821</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93707r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=<i>ARCH</i> -S finit_module -F key=modules</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=<i>ARCH</i> -S finit_module -F key=modules</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" id="rule-detail-idm46336713946960"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - insmodxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod mediumCCE-80446-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - insmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80446-8">CCE-80446-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030840</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86815r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture invocation of insmod, utility used to insert modules into kernel, use the following line: <pre>-w /usr/sbin/insmod -p x -k modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" id="rule-detail-idm46336713967728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - create_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create medium</div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - create_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030819</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93705r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,exit -F arch=<i>ARCH</i> -S create_module -F key=modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="rule-detail-idm46336713917920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80414-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading - init_module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80414-6">CCE-80414-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030820</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86811r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00216</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: <pre>-a always,exit -F arch=<i>ARCH</i> -S init_module -F key=modules</pre> Place to add the line depends on a way <code>auditd</code> daemon is configured. If it is configured to use the <code>augenrules</code> program (the default), add the line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>. If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility, add the line to file <code>/etc/audit/audit.rules</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-detail-idm46336713894528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-80384-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - lastlog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80384-1">CCE-80384-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86771r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual edits of files involved in storing logon events: <pre>-w /var/log/lastlog -p wa -k logins</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual edits of files involved in storing logon events: <pre>-w /var/log/lastlog -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-detail-idm46336713932096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-80383-3 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - faillock</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80383-3">CCE-80383-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86769r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual edits of files involved in storing logon events: <pre>-w /var/run/faillock/ -p wa -k logins</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual edits of files involved in storing logon events: <pre>-w /var/run/faillock/ -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-detail-idm46336713880896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-80382-5 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - tallylog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80382-5">CCE-80382-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86767r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000470-GPOS-00214</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000473-GPOS-00218</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual edits of files involved in storing logon events: <pre>-w /var/log/tallylog -p wa -k logins</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual edits of files involved in storing logon events: <pre>-w /var/log/tallylog -p wa -k logins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" id="rule-detail-idm46336713847312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown unknownCCE-27356-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27356-5">CCE-27356-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030380</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86723r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" id="rule-detail-idm46336713842288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr unknownCCE-27213-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - setxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27213-8">CCE-27213-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86735r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-detail-idm46336713817312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown unknownCCE-27364-9 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27364-9">CCE-27364-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030370</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86721r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" id="rule-detail-idm46336713802224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr unknownCCE-27280-7 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27280-7">CCE-27280-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030460</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86739r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-detail-idm46336713787072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod unknownCCE-27339-1 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27339-1">CCE-27339-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030410</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86729r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" id="rule-detail-idm46336713771728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat unknownCCE-27388-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmodat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27388-8">CCE-27388-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030430</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86733r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" id="rule-detail-idm46336713756800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-27367-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - removexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27367-2">CCE-27367-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030470</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86741r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" id="rule-detail-idm46336713741920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-27353-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27353-2">CCE-27353-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030480</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86743r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" id="rule-detail-idm46336713726688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat unknownCCE-27387-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchownat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27387-0">CCE-27387-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030400</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86727r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" id="rule-detail-idm46336713711776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod unknownCCE-27393-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27393-8">CCE-27393-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030420</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86731r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" id="rule-detail-idm46336713696656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-27410-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27410-0">CCE-27410-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030490</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86745r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> <br><br> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" id="rule-detail-idm46336713681648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr unknownCCE-27389-6 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27389-6">CCE-27389-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86737r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" id="rule-detail-idm46336713666896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown unknownCCE-27083-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27083-5">CCE-27083-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030390</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86725r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000474-GPOS-00219</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre> If the system is 64 bit then also add the following line: <pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-detail-idm46336713651424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles medium</div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setfiles</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030590</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86765r4_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt of the <code>setfiles</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-detail-idm46336713634224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-80392-4 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setsebool</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80392-4">CCE-80392-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030570</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86761r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt of the <code>setsebool</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-detail-idm46336713829440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-80391-6 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run semanage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80391-6">CCE-80391-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030560</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86759r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt of the <code>semanage</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-detail-idm46336713833408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-80393-2 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run chcon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80393-2">CCE-80393-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030580</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86763r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000463-GPOS-00207</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000465-GPOS-00209</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect any execution attempt of the <code>chcon</code> command for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" id="rule-detail-idm46336713590384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-80412-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - rmdir</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80412-0">CCE-80412-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030900</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86827r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" id="rule-detail-idm46336713616672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - unlinkat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030920</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86831r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" id="rule-detail-idm46336713620352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - rename</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030880</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86823r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" id="rule-detail-idm46336713567152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80413-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - renameat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80413-8">CCE-80413-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030890</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86825r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" id="rule-detail-idm46336713569424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User - unlink</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030910</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86829r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000466-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000467-GPOS-00210</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000468-GPOS-00212</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect file deletion events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" id="rule-detail-idm46336713512704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-80405-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - umount</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80405-4">CCE-80405-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030750</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86797r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" id="rule-detail-idm46336713497248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-80395-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - passwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80395-7">CCE-80395-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030630</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86773r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" id="rule-detail-idm46336713482592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-80407-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80407-0">CCE-80407-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030770</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86801r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" id="rule-detail-idm46336713468048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-80398-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - chage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80398-1">CCE-80398-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030660</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86779r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" id="rule-detail-idm46336713452976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-27437-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27437-3">CCE-27437-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030360</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86719r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002234</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000327-GPOS-00127</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition <i>PART</i>: <pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null</pre> If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> for each setuid / setgid program on the system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid / setgid program in the list: <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code> for each setuid / setgid program on the system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid / setgid program in the list: <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â This rule checks for multiple syscalls related to privileged commands; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example: <ul><li><code>audit_rules_privileged_commands_su</code></li><li><code>audit_rules_privileged_commands_umount</code></li><li><code>audit_rules_privileged_commands_passwd</code></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336719758016">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336719758016"><pre><code> # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' <abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_perform_audit_rules_privileged_commands_remediation"># Function to perform remediation for 'audit_rules_privileged_commands' rule # # Expects two arguments: # # audit_tool tool used to load audit rules # One of 'auditctl' or 'augenrules' # # min_auid Minimum original ID the user logged in with # '500' for RHEL-6 and before, '1000' for RHEL-7 and after. # # Example Call(s): # # perform_audit_rules_privileged_commands_remediation "auditctl" "500" # perform_audit_rules_privileged_commands_remediation "augenrules" "1000" # function perform_audit_rules_privileged_commands_remediation { # # Load function arguments into local variables local tool="$1" local min_auid="$2" # Check sanity of the input if [ $# -ne "2" ] then echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" echo "Aborting." exit 1 fi declare -a files_to_inspect=() # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then: # * add '/etc/audit/audit.rules'to the list of files to be inspected, # * specify '/etc/audit/audit.rules' as the output audit file, where # missing rules should be inserted elif [ "$tool" == 'auditctl' ] then files_to_inspect=("/etc/audit/audit.rules") output_audit_file="/etc/audit/audit.rules" # # If the audit tool is 'augenrules', then: # * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected # (split by newline), # * specify /etc/audit/rules.d/privileged.rules' as the output file, where # missing rules should be inserted elif [ "$tool" == 'augenrules' ] then IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)) output_audit_file="/etc/audit/rules.d/privileged.rules" fi # Obtain the list of SUID/SGID binaries on the particular system (split by newline) # into privileged_binaries array IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) # Keep list of SUID/SGID binaries that have been already handled within some previous iteration declare -a sbinaries_to_skip=() # For each found sbinary in privileged_binaries list for sbinary in "${privileged_binaries[@]}" do # Check if this sbinary wasn't already handled in some of the previous iterations # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] then # If so, don't process it second time & go to process next sbinary continue fi # Reset the counter of inspected files when starting to check # presence of existing audit rule for new sbinary local count_of_inspected_files=0 # Define expected rule form for this binary expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary if [[ ${#files_to_inspect[@]} -eq 0 ]]; then echo "$expected_rule" >> "$output_audit_file" continue fi # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below sbinary_esc=${sbinary//$'/'/$'\/'} # For each audit rules file from the list of files to be inspected for afile in "${files_to_inspect[@]}" do # Search current audit rules file's content for match. Match criteria: # * existing rule is for the same SUID/SGID binary we are currently processing (but # can contain multiple -F path= elements covering multiple SUID/SGID binaries) # * existing rule contains all arguments from expected rule form (though can contain # them in arbitrary order) base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \ -e '/-k privileged/!d' "$afile") # Increase the count of inspected files for this sbinary count_of_inspected_files=$((count_of_inspected_files + 1)) # Require execute access type to be set for existing audit rule exec_access='x' # Search current audit rules file's content for presence of rule pattern for this sbinary if [[ $base_search ]] then # Current audit rules file already contains rule for this binary => # Store the exact form of found rule for this binary for further processing concrete_rule=$base_search # Select all other SUID/SGID binaries possibly also present in the found rule IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")) IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)) # Separate concrete_rule into three sections using hash '#' # sign as a delimiter around rule's permission section borders concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")" # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter IFS=$'#' read -r rule_head rule_perm rule_tail <<< "$concrete_rule" # Extract already present exact access type [r|w|x|a] from rule's permission section access_type=${rule_perm//-F perm=/} # Verify current permission access type(s) for rule contain 'x' (execute) permission if ! grep -q "$exec_access" <<< "$access_type" then # If not, append the 'x' (execute) permission to the existing access type bits access_type="$access_type$exec_access" # Reconstruct the permissions section for the rule new_rule_perm="-F perm=$access_type" # Update existing rule in current audit rules file with the new permission section sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile" fi # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: # # * in the "auditctl" mode of operation insert particular rule each time # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), # # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) # elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] then # Current audit rules file's content doesn't contain expected rule for this # SUID/SGID binary yet => append it echo "$expected_rule" >> "$output_audit_file" continue fi done done } </abbr> perform_audit_rules_privileged_commands_remediation "auditctl" "1000" perform_audit_rules_privileged_commands_remediation "augenrules" "1000" </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336719751920">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336719751920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code> - name: Search for privileged commands shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat" check_mode: no register: find_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path={{ item }} .*$" patterns: "*.rules" with_items: - "{{ find_result.stdout_lines }}" register: files_result tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 - name: Overwrites the rule in rules.d lineinfile: path: "{{ item.1.path }}" line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: no regexp: "^.*path={{ item.0.item }} .*$" with_subelements: - "{{ files_result.results }}" - files tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 - name: Adds the rule in rules.d lineinfile: path: /etc/audit/rules.d/privileged.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: yes with_items: - "{{ files_result.results }}" when: item.matched == 0 tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 # Adds/overwrites the rule in /etc/audit/audit.rules - name: Inserts/replaces the rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: yes regexp: "^.*path={{ item.item }} .*$" with_items: - "{{ files_result.results }}" tags: - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - NIST-800-53-AU-2(4) - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" id="rule-detail-idm46336713426064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-80399-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80399-9">CCE-80399-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030670</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86781r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" id="rule-detail-idm46336713538864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-80408-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80408-8">CCE-80408-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030780</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86803r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" id="rule-detail-idm46336713419360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-80402-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80402-1">CCE-80402-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030730</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86793r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" id="rule-detail-idm46336713388560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-80400-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - su</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80400-5">CCE-80400-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030680</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86783r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" id="rule-detail-idm46336713377424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-80411-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80411-2">CCE-80411-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030810</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86809r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" id="rule-detail-idm46336713401584"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-80401-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80401-3">CCE-80401-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030690</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86785r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" id="rule-detail-idm46336713407360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-80403-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80403-9">CCE-80403-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030710</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86789r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" id="rule-detail-idm46336713332848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-80410-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - crontab</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80410-4">CCE-80410-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030800</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86807r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" id="rule-detail-idm46336713318016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-80397-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80397-3">CCE-80397-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030650</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86777r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" id="rule-detail-idm46336713303184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-80396-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80396-5">CCE-80396-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030640</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86775r4_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" id="rule-detail-idm46336713356768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-80406-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80406-2">CCE-80406-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030760</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86799r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" id="rule-detail-idm46336713362736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-80404-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands - chsh</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80404-7">CCE-80404-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030720</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86791r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add a line of the following form to <code>/etc/audit/audit.rules</code>: <pre>-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. <br><br> Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" id="rule-detail-idm46336713258800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-80388-2 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80388-2">CCE-80388-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030530</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86753r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" id="rule-detail-idm46336713282656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80386-6 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - open</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80386-6">CCE-80386-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030510</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86749r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" id="rule-detail-idm46336713286336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80385-8 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - creat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80385-8">CCE-80385-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030500</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86747r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" id="rule-detail-idm46336713241328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80390-8 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80390-8">CCE-80390-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030550</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86757r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" id="rule-detail-idm46336713229632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80389-0 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - truncate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80389-0">CCE-80389-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030540</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86755r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" id="rule-detail-idm46336713235472"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Unauthorized Access Attempts to Files (unsuccessful) - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80387-4 </div><div class="panel-heading"><h3 class="panel-title">Record Unauthorized Access Attempts to Files (unsuccessful) - openat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80387-4">CCE-80387-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030520</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86751r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064-GPOS-00033</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000458-GPOS-00203</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000461-GPOS-00205</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file: <pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre> If the system is 64 bit then also add the following lines: <pre> -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" id="rule-detail-idm46336713110544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80431-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/shadow</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80431-0">CCE-80431-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030873</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87823r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" id="rule-detail-idm46336713130800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80432-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/gshadow</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80432-8">CCE-80432-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030872</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87819r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_media_export" id="rule-detail-idm46336713142880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-27447-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Exporting to Media (successful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_media_export</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27447-2">CCE-27447-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030740</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86795r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.13</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as appropriate for your system: <pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" id="rule-detail-idm46336713056000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80430-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/security/opasswd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80430-2">CCE-80430-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030874</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87825r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-detail-idm46336713038528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions unknownCCE-27461-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects System Administrator Actions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27461-3">CCE-27461-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030700</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86787r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">iAU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5.b</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037-GPOS-00015</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00020</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000392-GPOS-00172</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000462-GPOS-00206</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000471-GPOS-00215</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to <code>/etc/audit/audit.rules</code> file: <pre>-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" id="rule-detail-idm46336713034784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Shutdown System When Auditing Failures Occurxccdf_org.ssgproject.content_rule_audit_rules_system_shutdown mediumCCE-80381-7 </div><div class="panel-heading"><h3 class="panel-title">Shutdown System When Auditing Failures Occur</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80381-7">CCE-80381-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86705r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000139</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000046-GPOS-00022</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000047-GPOS-00023</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following line to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>: <pre>-f 2</pre> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following line to the top of the <code>/etc/audit/audit.rules</code> file: <pre>-f 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. <br><br> Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-detail-idm46336713062336"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80435-1 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/passwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80435-1">CCE-80435-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030870</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86821r4_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000239-GPOS-00089</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000240-GPOS-00090</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000241-GPOS-00091</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000303-GPOS-00120</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000476-GPOS-00221</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" id="rule-detail-idm46336713016640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80433-6 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:32</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80433-6">CCE-80433-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030871</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87817r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000018</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000004-GPOS-00004</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-detail-idm46336713011568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled highCCE-27407-6 </div><div class="panel-heading"><h3 class="panel-title">Enable auditd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:33</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27407-6">CCE-27407-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-030000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86703r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.1.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000131</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000038-GPOS-00016</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000039-GPOS-00017</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000042-GPOS-00021</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000254-GPOS-00095</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000255-GPOS-00096</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable auditd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the <code>auditd</code> service is active ensures audit records generated by the kernel are appropriately recorded. <br><br> Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Running in chroot, ignoring request. </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718336112">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718336112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'auditd.service' "$SYSTEMCTL_EXEC" enable 'auditd.service' </code></pre></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Ansible snippet:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718332448">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718332448"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service auditd service: name: "{{item}}" enabled: "yes" state: "started" with_items: - auditd tags: - service_auditd_enabled - high_severity - enable_strategy - low_complexity - low_disruption - CCE-27407-6 - NIST-800-53-AU-3 - NIST-800-53-AC-17(1) - NIST-800-53-AU-1(b) - NIST-800-53-AU-10 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-AU-14(1) - NIST-800-53-IR-5 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - PCI-DSS-Req-10 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030000 </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idm46336712984736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-80144-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80144-9">CCE-80144-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021310</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86683r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.13</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001208</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/home</code> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idm46336712979024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-26404-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26404-4">CCE-26404-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021320</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86685r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/var</code> is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the <code>/var</code> directory to contain world-writable directories installed by other software packages.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-detail-idm46336712975136"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-27173-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27173-4">CCE-27173-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86689r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/tmp</code> partition is used as temporary storage by many programs. Placing <code>/tmp</code> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idm46336712971248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-26971-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26971-2">CCE-26971-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021330</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86687r5_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.12.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Placing <code>/var/log/audit</code> in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm46336712962976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-80350-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80350-2">CCE-80350-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86573r2_rule</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. <br><br> When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm46336712959008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-80351-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80351-0">CCE-80351-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010340</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86571r2_rule</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the <code>NOPASSWD</code> tag does not exist in <code>/etc/sudoers</code> configuration file or any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. <br><br> When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_installed_OS_is_certified" id="rule-detail-idm46336712955120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Installed Operating System Is Vendor Supported and Certifiedxccdf_org.ssgproject.content_rule_installed_OS_is_certified highCCE-80349-4 </div><div class="panel-heading"><h3 class="panel-title">The Installed Operating System Is Vendor Supported and Certified</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_installed_OS_is_certified</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80349-4">CCE-80349-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020250</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86621r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="rule-detail-idm46336712949344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable FIPS Mode in GRUB2xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode highCCE-80359-3 </div><div class="panel-heading"><h3 class="panel-title">Enable FIPS Mode in GRUB2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80359-3">CCE-80359-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021350</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86691r3_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002450</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000033-GPOS-00014</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000396-GPOS-00176</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000478-GPOS-00223</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure FIPS mode is enabled, rebuild <code>initramfs</code> by running the following command: <pre>dracut -f</pre> After the <code>dracut</code> command has been run, add the argument <code>fips=1</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"</pre> Finally, rebuild the <code>grub.cfg</code> file by using the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Running <pre>dracut -f</pre> will overwrite the existing initramfs file.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. <br><br> See <b><a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm</a></b> for a list of FIPS certified vendors.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/sysconfig/prelink: No such file or directory which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. There are no enabled repos. Run "yum repolist all" to see the repos you have. To enable Red Hat Subscription Management repositories: subscription-manager repos --enable <repo> To enable custom repositories: yum-config-manager --enable <repo> </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation Shell script:</span>Â Â Â <a data-toggle="collapse" data-target="#idm46336718056416">(show)</a><br></br><div class="panel-collapse collapse" id="idm46336718056416"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_disable_prelink">function disable_prelink { # Disable prelinking and don't even check # whether it is installed. if grep -q ^PRELINKING /etc/sysconfig/prelink then sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink else printf '\n' >> /etc/sysconfig/prelink printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink fi # Undo previous prelink changes to binaries if prelink is available. if test -x /usr/sbin/prelink; then /usr/sbin/prelink -ua fi } </abbr> disable_prelink <abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_package_install"># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_install aide # function package_install { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_install 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if ! rpm -q --quiet "$package"; then dnf install -y "$package" fi elif which yum ; then if ! rpm -q --quiet "$package"; then yum install -y "$package" fi elif which apt-get ; then apt-get install -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } </abbr> package_install dracut-fips dracut -f # Correct the form of default kernel command line in grub if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then # modify the GRUB command-line if a fips= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub else # no existing fips=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub fi # Get the UUID of the device mounted at /boot. BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot) if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then # modify the GRUB command-line if a boot= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub else # no existing boot=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub fi # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}" </code></pre></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" id="rule-detail-idm46336712923968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Virus Scanning Software Definitions Are Updatedxccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated mediumCCE-80129-0 </div><div class="panel-heading"><h3 class="panel-title">Virus Scanning Software Definitions Are Updated</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80129-0">CCE-80129-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-032010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86839r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001668</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure virus definition files are no older than 7 days or their last release.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" id="rule-detail-idm46336712919088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install McAfee Virus Scanning Softwarexccdf_org.ssgproject.content_rule_install_mcafee_antivirus highCCE-80127-4 </div><div class="panel-heading"><h3 class="panel-title">Install McAfee Virus Scanning Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_mcafee_antivirus</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:17</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80127-4">CCE-80127-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-032000</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86837r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001668</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-detail-idm46336712908304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-27209-6 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct File Permissions with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:22</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27209-6">CCE-27209-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010010</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86473r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001494</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001496</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000257-GPOS-00098</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000278-GPOS-00108</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: <pre>$ sudo rpm -Va | grep '^.M'</pre> Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: <pre>$ rpm -qf <i>FILENAME</i></pre> <br> Next, run the following command to reset its permissions to the correct values: <pre>$ sudo rpm --quiet --setperms <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â <b>Note: Due to a bug in the <code>gdm</code> package, the RPM verify command may continue to fail even after file permissions have been correctly set on <code>/var/log/gdm</code>. This is being tracked in Red Hat Bugzilla #1277603.</b> </div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-detail-idm46336712904352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct Ownership with RPMxccdf_org.ssgproject.content_rule_rpm_verify_ownership highCCE-80545-7 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct Ownership with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:26:31</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80545-7">CCE-80545-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-TBD</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.3</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001494</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001496</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000257-GPOS-00098</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000278-GPOS-00108</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with <pre>rpm -Va | grep "^.....\(U\|.G\)"</pre> run the following command to determine which package owns it: <pre>$ rpm -qf <i>FILENAME</i></pre> Next, run the following command to reset its permissions to the correct values: <pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â <b>Note: Due to a bug in the <code>gdm</code> package, the RPM verify command may continue to fail even after file permissions have been correctly set on <code>/var/log/gdm</code>. This is being tracked in Red Hat Bugzilla #1277603.</b> </div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-detail-idm46336712900464"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-27157-7 </div><div class="panel-heading"><h3 class="panel-title">Verify File Hashes with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27157-7">CCE-27157-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010020</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86479r2_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000663</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: <pre>$ rpm -Va | grep '^..5'</pre> A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: <pre>$ rpm -qf <i>FILENAME</i></pre> The package can be reinstalled from a yum repository using the command: <pre>$ sudo yum reinstall <i>PACKAGENAME</i></pre> Alternatively, the package can be reinstalled from trusted media using the command: <pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm46336712896576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-27096-7 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-27096-7">CCE-27096-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.1</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Install the AIDE package with the command: <pre>$ sudo yum install aide</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The AIDE package must be installed if it is to be available for integrity checking.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" id="rule-detail-idm46336712892672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes mediumCCE-80376-7 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Extended Attributes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80376-7">CCE-80376-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021610</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86695r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> to the appropriate ruleset. For example, add <code>xattrs</code> to the following line in <code>/etc/aide.conf</code>: <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_verify_acls" id="rule-detail-idm46336712887072"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls mediumCCE-80375-9 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Verify Access Control Lists (ACLs)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_verify_acls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80375-9">CCE-80375-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021600</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86693r2_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7.1</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> to the appropriate ruleset. For example, add <code>acl</code> to the following line in <code>/etc/aide.conf</code>: <pre>FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256</pre> AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" id="rule-detail-idm46336712874832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure AIDE to Use FIPS 140-2 for Validating Hashesxccdf_org.ssgproject.content_rule_aide_use_fips_hashes mediumCCE-80377-5 </div><div class="panel-heading"><h3 class="panel-title">Configure AIDE to Use FIPS 140-2 for Validating Hashes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_use_fips_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:13</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80377-5">CCE-80377-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021620</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86697r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code> option is missing, add <code>sha512</code> to the appropriate ruleset. For example, add <code>sha512</code> to the following line in <code>/etc/aide.conf</code>: <pre>NORMAL = FIPSR+sha512</pre> AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_scan_notification" id="rule-detail-idm46336712876864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Notification of Post-AIDE Scan Detailsxccdf_org.ssgproject.content_rule_aide_scan_notification mediumCCE-80374-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Notification of Post-AIDE Scan Details</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_scan_notification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80374-2">CCE-80374-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020040</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86599r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001744</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000363-GPOS-00150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the following line to the existing AIDE line: <pre> | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> Otherwise, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre> AIDE can be executed periodically through other means; this is merely one example.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. <br><br> Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-detail-idm46336712858480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-26952-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Periodic Execution of AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26952-2">CCE-26952-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020030</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86597r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001744</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000363-GPOS-00150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root /usr/sbin/aide --check</pre> To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * 0 root /usr/sbin/aide --check</pre> AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as <code>@daily</code> and <code>@weekly</code> is acceptable.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. <br><br> Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. <br><br> Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">which: no dnf in (/bin:/sbin:/usr/bin:/usr/sbin) /bin/yum </message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm46336712846512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-26895-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26895-3">CCE-26895-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020260</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86623r3_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ sudo yum update</pre> If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using <code>rpm</code>. <br><br> NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" id="rule-detail-idm46336712839984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Repository Metadataxccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata highCCE-80348-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Repository Metadata</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80348-6">CCE-80348-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020070</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86605r1_rule</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. <br><br> Check that <code>yum</code> verifies the repository metadata prior to install with the following command. This should be configured by setting <code>repo_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. <br><br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. <br><br> Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. <br><br> NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-detail-idm46336712836016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure YUM Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-80346-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure YUM Removes Previous Package Versions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_clean_components_post_updating</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80346-0">CCE-80346-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020200</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86611r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002617</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(6)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000437-GPOS-00194</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>Yum</code> should be configured to remove previous software components after previous versions have been installed. To configure <code>yum</code> to remove the previous software components after updating, set the <code>clean_requirements_on_remove</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm46336712817408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main Yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-26989-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main Yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-26989-4">CCE-26989-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020050</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86601r1_rule</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.2</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in <code>/etc/yum.conf</code> in the <code>[main]</code> section: <pre>gpgcheck=1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. <br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. <br> Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm46336712827936"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80347-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:28:14</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80347-8">CCE-80347-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020060</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86603r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>Yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify signatures of local packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. <br><br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" id="rule-detail-idm46336712816080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks mediumCCE-80544-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Session Idle Settings</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80544-0">CCE-80544-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010082</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87809r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-00029-GPOS-0010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <code>/org/gnome/desktop/session/idle-delay</code> to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/session/idle-delay</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" id="rule-detail-idm46336712812288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay mediumCCE-80370-0 </div><div class="panel-heading"><h3 class="panel-title">Set GNOME3 Screensaver Lock Delay After Activation Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80370-0">CCE-80370-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010110</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86525r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="">OS-SRG-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <code>uint32 <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_screensaver_lock_delay">5</abbr></code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For example: <pre>[org/gnome/desktop/screensaver] lock-delay=uint32 <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_screensaver_lock_delay">5</abbr> </pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/lock-delay</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" id="rule-detail-idm46336712801968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks mediumCCE-80371-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Settings</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80371-8">CCE-80371-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010081</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87807r3_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-00029-GPOS-0010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/lock-delay</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-detail-idm46336712796224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled mediumCCE-80111-8 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Idle Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80111-8">CCE-80111-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010100</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86523r3_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For example: <pre>[org/gnome/desktop/screensaver] idle_activation_enabled=true</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. <br><br> Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" id="rule-detail-idm46336712790592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-80110-0 </div><div class="panel-heading"><h3 class="panel-title">Set GNOME3 Screensaver Inactivity Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80110-0">CCE-80110-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate configuration file(s) in the <code>/etc/dconf/db/local.d</code> directory and locked in <code>/etc/dconf/db/local.d/locks</code> directory to prevent user modification. <br><br> For example, to configure the system for a 15 minute delay, add the following to <code>/etc/dconf/db/local.d/00-security-settings</code>: <pre>[org/gnome/desktop/session] idle-delay='uint32 900'</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/session/idle-delay</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" id="rule-detail-idm46336712785776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked mediumCCE-80563-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80563-0">CCE-80563-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010062</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93701r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> to <code>/etc/dconf/db/local.d/00-security-settings</code>. For example: <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-detail-idm46336712776256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-80112-6 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Lock After Idle Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80112-6">CCE-80112-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010060</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86515r4_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000056</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000028-GPOS-00009</a>, <a href="">OS-SRG-000030-GPOS-00011</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>. For example: <pre>[org/gnome/desktop/screensaver] lock-enabled=true </pre> Once the settings have been added, add a lock to <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" id="rule-detail-idm46336712771440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Cannot Change GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked mediumCCE-80564-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80564-8">CCE-80564-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010101</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-93703r1_rule</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> to <code>/etc/dconf/db/local.d/00-security-settings</code>. For example: <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-detail-idm46336712743024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the GNOME3 Login Smartcard Authenticationxccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth mediumCCE-80108-4 </div><div class="panel-heading"><h3 class="panel-title">Enable the GNOME3 Login Smartcard Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80108-4">CCE-80108-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000884</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010061</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-92515r1_rule</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication</code> to <code>true</code>. <br><br> To enable, add or edit <code>enable-smartcard-authentication</code> to <code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: <pre>[org/gnome/login-screen] enable-smartcard-authentication=true</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/login-screen/enable-smartcard-authentication</pre> After the settings have been set, run <code>dconf update</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-detail-idm46336712734704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login highCCE-80104-3 </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Automatic Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80104-3">CCE-80104-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010440</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86577r1_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the <code>AutomaticLoginEnable</code> to <code>false</code> in the <code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example: <pre>[daemon] AutomaticLoginEnable=false</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Failure to restrict system access to authenticated users negatively impacts operating system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-detail-idm46336712723840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GDM Guest Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login highCCE-80105-0 </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Guest Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2018-08-27T15:27:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80105-0">CCE-80105-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010450</a>, <a href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86579r2_rule</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the <code>TimedLoginEnable</code> to <code>false</code> in the <code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example: <pre>[daemon] TimedLoginEnable=false</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Failure to restrict system access to authenticated users negatively impacts operating system security.</p></div></td></tr></tbody></table></div></div><a href="#result-details"><button type="button" class="btn btn-secondary">Scroll back to the first rule</button></a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. </div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit"> Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.2.17</p></div></footer></body></html>
View Attachment As Raw
Actions:
View
Attachments on
bug 1392681
:
1270865
| 1478985